Government // Mobile & Wireless
Commentary
12/6/2011
12:15 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Carrier IQ: Just A Little Evil?

Carrier IQ software may collect far less data than first reported, but Pandora's out of the box, and it's time for carriers to disclose all information collection to enterprises and other end users.

Carrier IQ, the besieged phone management software provider, has gone from evil empire to misunderstood provider of helpful apps in less than a week. Security researcher Dan Rosenberg, a highly credible source due to his previously verified work on various open source vulnerabilities, says that all Carrier IQ does (at least on the Samsung Epic 4G Touch) is provide rollup metrics "of interest" to the carrier. End of story, right? Wrong. This is all far from over.

Rosenberg's teardown of the Carrier IQ app has yielded highly structured and specific data, and, given his credentials, I'm thinking that he's right. Specifically, he's identified a set of 12 Carrier IQ software "events" ranging from "phone dialer only" keypresses, to SMS events (message length, phone number, status, but no message content), to Web browser events (URL, but no actual page contents). Many of the events have to do with radio management and things that enterprises and customers would want.

Rosenberg is careful to avoid the mob mentality that sprang up over the initial Carrier IQ findings. He is quick to point out that CarrierIQ (on this particular phone) cannot record any keystrokes other than the dialer.

Still, he does point out that, "CarrierIQ can record the URLs that are being visited (including for HTTPS resources)." In a follow-up conversation, I asked Rosenberg what his findings were. He said, "SSL/HTTPS URLs are definitely being captured. The code responsible for submitting HTTP-related metrics to the CarrierIQ agent resided inside Webkit, the Android browser engine. It's naturally located in code responsible for handling HTTP requests, which is totally blind to whether or not a request is over SSL (the SSL has already been stripped out). So it doesn't care whether a request was HTTP or HTTPS--it will log it regardless." Despite being careful to be non-sensational about this, he says, "This is obviously a legal issue that needs to be explored."

My conclusion: even if Carrier IQ is mostly innocent, it represents a bellwether of things to come.

[ Carrier IQ says it's exempt from wiretap laws, but many lawyers, legislators, and regulators aren't so sure. Learn more: Carrier IQ, Carriers, Manufacturers Hit With Wiretap Lawsuits. ]

In Carrier IQ's case, some sensitive corporate data may be present in "GET" operations via URLs, but as a Doctor Evil, it's just a Mini-Me. "Just a little evil." In all seriousness, however, now that the question of providers collecting sensitive data has sprang up at all, NOW is the time for enterprises to engage in conversations with their carriers about what is acceptable.

We all want good enterprise network management. That's the purpose behind Carrier IQ. And frankly, most of us have made significant investment in network management of OUR enterprise networks. But, just as your enterprise network customers would feel icky about your network operators remote controlling or remote viewing of enterprise desktops without permission and/or transparency surrounding it, carriers must expect that enterprises want transparency and permission surrounding collection of ANY data.

When I wrote my first analysis of the Carrier IQ situation, it wasn't yet known that Apple had CarrierIQ software in early versions of its software. But even after that was made known, there was a BIG DIFFERENCE: a user-controlled off switch.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.
A quick sidebar, based on some comments I got via email and InformationWeek's comment system: I still think that the process model that Apple uses--tight control of its firmware prior to end-user delivery--is a better one. Let the users decide on additional software, not the carrier! And, I think that the "off" switch on the Apple platform was present because of the differing model: Apple has a relationship both with the carriers AND the end user, whereas Carrier IQ only has one with the carriers. Why would it put in a user "off" switch? Right. It wouldn't.

I also still think that carriers loading up a phone with app crap is a bad idea. I judge phones by defect rates and support burden. My shop supports both Apple and Android platforms, and user issues with Android are FAR higher than those with Apple. This lack of massive support burden is my sole affiliation with Apple. I don't own stock or have any financial interest other than spending money on their products.

Regardless, the model of tight control of firmware prior to end user delivery isn't arriving overnight. In the meantime, it's hard to put Pandora back in the box, even if it's only "mini evil."

There is a huge difference between "rootkit" and "management tool." It's a big difference, but a simple one, and is based on the answer to the question, "Did I agree to let you to do this?" Carriers take note: with the U.S. Senate and European regulators having entered the game, the answer had better be "yes."

Jonathan Feldman is a contributing editor for InformationWeek and director of IT services for a rapidly growing city in North Carolina. Write to him at jf@feldman.org or at @_jfeldman.

In today's uncertain and highly scrutinized financial services industry, achieving effective risk management is vital for survival. The report examines the need for enterprise risk management, the benefits of holistic data management, and ERM best practices. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
ANON1246978719139
50%
50%
ANON1246978719139,
User Rank: Apprentice
12/7/2011 | 5:55:07 AM
re: Carrier IQ: Just A Little Evil?
Is the Carrier IQ software the equivalent of a bot? It has pretty complete access to your smart phone. Can it be commanded remotely? Sure, the data forwarded to Carrier IQ (or your carrier) may be pretty benign today, but can Carrier IQ or your carrier command it to collect and forward different information?

Can law enforcement / national security / political campaign organizations request that Carrier IQ collect additional data from specific individuals?

Can Carrier IQ assure us that no one else can control their software in my phone? Should I be concerned if the Carrier IQ software on my smartphone is being commanded from Russia? Of course, I'm sure Carrier IQ uses the latest security measures, but if RSA can get hacked...
Robert A.
50%
50%
Robert A.,
User Rank: Apprentice
12/7/2011 | 2:18:33 PM
re: Carrier IQ: Just A Little Evil?
Metaphor check: Pandora was never in the box; she is the one who opened it In this case, it would be more appropriate to say that the cat is out of the bag.
japura941
50%
50%
japura941,
User Rank: Apprentice
12/7/2011 | 5:52:53 PM
re: Carrier IQ: Just A Little Evil?
Not only can Carrier IQ be equivalent to a bot, but it can also be the worst of it's kind, a Chameleon app as it had been granted with the highest root privileges on the mobile device.

Because Carrier IQ does not go through Android Market gateway for review, application agreement, etc., Carrier IQ can be updated and pushed without supervision specifically to any of the 150 million users at ANY TIME, ANYWHERE, the mobile device may be.

If Carrier IQ is to function harmlessly, they push version 1.0.0.

But if Carrier IQ is to function as a complete virtual keylogger, then they push version 1.0.1.
or if Carrier IQ is to function as a dedicated real time secret GPS spy tracker, then they push version 1.0.2.
or if Carrier IQ is to function as a dedicated real time secret Audio Recorder, then they push version 1.0.3.
or if Carrier IQ is to function as a dedicated real time secret Video Recorder, then they push version 1.0.4.
or if Carrier IQ is to function as a dedicated real time secret HTTP, HTTPS content stream reader, then they push version 1.0.5.

And when they are done, it is updated instantly and reverts to the harmless version 1.0.0.

So by the time a Security Researcher inspects the code, it appears harmless.

The fact that the Carrier IQ app cannot be uninstalled, cannot be disabled, cannot be stopped like the rest of the hundred thousand other apps, Carrier IQ is inherently designed without good intentions for the 150 million users infected.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.