Carrier IQ: Just A Little Evil?

Carrier IQ, the besieged phone management software provider, has gone from evil empire to misunderstood provider of helpful apps in less than a week. Security researcher Dan Rosenberg, a highly credible source due to his previously verified work on various open source vulnerabilities, says that all Carrier IQ does (at least on the Samsung Epic 4G Touch) is provide rollup metrics "of interest" to the carrier. End of story, right? Wrong. This is all far from over.

Rosenberg's teardown of the Carrier IQ app has yielded highly structured and specific data, and, given his credentials, I'm thinking that he's right. Specifically, he's identified a set of 12 Carrier IQ software "events" ranging from "phone dialer only" keypresses, to SMS events (message length, phone number, status, but no message content), to Web browser events (URL, but no actual page contents). Many of the events have to do with radio management and things that enterprises and customers would want.

Rosenberg is careful to avoid the mob mentality that sprang up over the initial Carrier IQ findings. He is quick to point out that CarrierIQ (on this particular phone) cannot record any keystrokes other than the dialer.

Still, he does point out that, "CarrierIQ can record the URLs that are being visited (including for HTTPS resources)." In a follow-up conversation, I asked Rosenberg what his findings were. He said, "SSL/HTTPS URLs are definitely being captured. The code responsible for submitting HTTP-related metrics to the CarrierIQ agent resided inside Webkit, the Android browser engine. It's naturally located in code responsible for handling HTTP requests, which is totally blind to whether or not a request is over SSL (the SSL has already been stripped out). So it doesn't care whether a request was HTTP or HTTPS--it will log it regardless." Despite being careful to be non-sensational about this, he says, "This is obviously a legal issue that needs to be explored."

My conclusion: even if Carrier IQ is mostly innocent, it represents a bellwether of things to come.

[ Carrier IQ says it's exempt from wiretap laws, but many lawyers, legislators, and regulators aren't so sure. Learn more: Carrier IQ, Carriers, Manufacturers Hit With Wiretap Lawsuits. ]

In Carrier IQ's case, some sensitive corporate data may be present in "GET" operations via URLs, but as a Doctor Evil, it's just a Mini-Me. "Just a little evil." In all seriousness, however, now that the question of providers collecting sensitive data has sprang up at all, NOW is the time for enterprises to engage in conversations with their carriers about what is acceptable.

We all want good enterprise network management. That's the purpose behind Carrier IQ. And frankly, most of us have made significant investment in network management of OUR enterprise networks. But, just as your enterprise network customers would feel icky about your network operators remote controlling or remote viewing of enterprise desktops without permission and/or transparency surrounding it, carriers must expect that enterprises want transparency and permission surrounding collection of ANY data.

When I wrote my first analysis of the Carrier IQ situation, it wasn't yet known that Apple had CarrierIQ software in early versions of its software. But even after that was made known, there was a BIG DIFFERENCE: a user-controlled off switch.

A quick sidebar, based on some comments I got via email and InformationWeek's comment system: I still think that the process model that Apple uses--tight control of its firmware prior to end-user delivery--is a better one. Let the users decide on additional software, not the carrier! And, I think that the "off" switch on the Apple platform was present because of the differing model: Apple has a relationship both with the carriers AND the end user, whereas Carrier IQ only has one with the carriers. Why would it put in a user "off" switch? Right. It wouldn't.

I also still think that carriers loading up a phone with app crap is a bad idea. I judge phones by defect rates and support burden. My shop supports both Apple and Android platforms, and user issues with Android are FAR higher than those with Apple. This lack of massive support burden is my sole affiliation with Apple. I don't own stock or have any financial interest other than spending money on their products.

Regardless, the model of tight control of firmware prior to end user delivery isn't arriving overnight. In the meantime, it's hard to put Pandora back in the box, even if it's only "mini evil."

There is a huge difference between "rootkit" and "management tool." It's a big difference, but a simple one, and is based on the answer to the question, "Did I agree to let you to do this?" Carriers take note: with the U.S. Senate and European regulators having entered the game, the answer had better be "yes."

Jonathan Feldman is a contributing editor for InformationWeek and director of IT services for a rapidly growing city in North Carolina. Write to him at jf@feldman.org or at @_jfeldman.

In today's uncertain and highly scrutinized financial services industry, achieving effective risk management is vital for survival. The report examines the need for enterprise risk management, the benefits of holistic data management, and ERM best practices. Download the report now. (Free registration required.)