Mobile
News
12/6/2011
01:28 PM
Connect Directly
RSS
E-Mail
50%
50%

Carrier IQ Data Collection Technically Legit, Say Researchers

Independent studies find CIQ's smartphone monitoring software captures only the info it needs for diagnostics work.

10 Top iOS 5 Apps
10 Top iOS 5 Apps
(click image for larger view and for slideshow)
Carrier IQ lately has been in the crosshairs of security researchers, privacy advocates, legislators, and regulators over questions of whether its software surreptitiously monitors smartphone users, to the point where it might violate wiretapping laws.

But according to Dan Rosenberg, who's the vulnerability research practice lead at Virtual Security Research (VSR), Carrier IQ's software captures and transmits back to carriers only what is needed to help them diagnose network, application, or hardware failures.

Rosenberg reached that conclusion after reverse-engineering Carrier IQ software running on a Samsung Epic 4G Touch. He received assistance from "k0nane," the security researcher who had discovered Carrier IQ's software running on the Samsung Epic 4G in February.

"I enumerated every Carrier IQ-related hook integrated into the Android framework and examined what metrics can possibly be collected, and just as importantly, in what situations," said Rosenberg in a Monday blog post that Carrier IQ emailed to journalists.

[Some privacy concerns are overblown. See 5 Smartphone Location Tracking Myths, Busted.]

"All of the data that is potentially being collected supports Carrier IQ's claims that its data is used for diagnosing and fixing network, application, and hardware failures," he said. "Claims that keystrokes, SMS bodies, email bodies, and other data of this nature are being collected are erroneous."

In other words, the Carrier IQ software doesn't appear to currently have the capabilities that some have ascribed to it. "Carrier IQ cannot record SMS text bodies, Web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so," he said. In fact, the only keystrokes Carrier IQ can record are those made using the telephone dialer, "in order to determine the destination of a phone call," he said. "I'm not a lawyer, but I would expect cell carriers already have legal access to this information."

Rosenberg also found that the Carrier IQ software, in some cases, can record GPS location data--likely for troubleshooting reception problems--and that it can record "URLs that are being visited (including for HTTPS resources), but not the contents of those pages or other HTTP data." Security experts, however, have warned that recording HTTPS could mean that Carrier IQ inadvertently captures usernames, passwords, or other sensitive data, if developers hadn't taken proper steps to ensure that sensitive information isn't embedded in URLs, even for HTTPS.

Finally, the Carrier IQ software collects device-related information--aka metrics--as specified in a profile that resides on the device, and which is defined by carriers. "The list of available metrics are carrier-specific, but will remain constant on a given handset model," he said. "The subset of this data that is actually recorded and collected is at the discretion of the carrier, and is based on the profile installed on the device."

In other words, Carrier IQ appears to be doing what carriers ask it to do, said Rosenberg, who also emphasized that his research had been conducted in a completely neutral manner. "Neither I nor my employer (VSR) have ever had a professional relationship with CarrierIQ, handset manufacturers, or cellular providers," he said.

Meanwhile, Jon Oberheide, CTO of DUO Security, and an independent security researcher with extensive Android experience, told Threatpost that he'd reached similar findings, noting that although Carrier IQ's software could log lots of different types of data, that didn't mean that it was doing so. He likewise disputed that the software was behaving like a rootkit. "It's not trying to hide. If it's a rootkit, it's the least stealthy one ever," he said.

But Oberheide did warn that the Carrier IQ software code base could be an attractive target for attackers, especially because it hooks into so many different parts of the Android operating system. "I wouldn't be surprised if pretty soon people start digging into the code base and start finding vulnerabilities in the software itself," he said.

Although Rosenberg, for his part, found that Carrier IQ's software was technically doing what the company said it was doing, he did criticize the company for failing to be more forthright with consumers. "To satisfy users, it's important that there be increased visibility into what data is actually being collected on these devices," he said. He's also called on Carrier IQ to provide people with a way to opt out of using its software.

For the 15th consecutive year, InformationWeek is conducting its U.S. IT Salary Survey. Upon completion of the survey, you will be eligible to enter a contest for prizes including a Bravia HDTV or iPad 2, and get a link to download our report once it is published. Take the survey now. Survey ends Jan. 20.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
japura941
50%
50%
japura941,
User Rank: Apprentice
12/8/2011 | 8:26:42 PM
re: Carrier IQ Data Collection Technically Legit, Say Researchers
Who will you believe, Carrier IQ and their prepaid Security Researchers? Or Trever Eckhart backed by Google, inventor of the Android Mobile Operating System?

Here's the latest news with a statement straight from Google regarding Carrier IQ:

"It's a key-logger, and it ACTUALLY DOES keep your keystrokes, and we certainly don't work with them and we certainly DON'T SUPPORT it," Eric Schmidt told an Internet freedom conference in the Dutch city of The Hague.
japura941
50%
50%
japura941,
User Rank: Apprentice
12/8/2011 | 8:08:48 PM
re: Carrier IQ Data Collection Technically Legit, Say Researchers
So basically, you're completely in support of Carrier IQ, is that it? And because anyone can hijack the username k0nane in this forum, people should trust you?

Have you heard the latest news? Google, maker of the Android Mobile Operating System in which the Carrier IQ app is installed upon, DOES NOT support Carrier IQ and their "keylogging" deception practices:

"It's a key-logger, and it actually DOES keep your keystrokes, and we certainly DON'T work with them and we certainly DON'T support it," Eric Schmidt told an Internet freedom conference in the Dutch city of The Hague.

That's what happens when Carrier IQ tries to suggest, "they" don't create the debug log files, Google's Android system does! A few days later, Google strikes back and puts Carrier IQ back in the negative spotlight.
uberputeruser
50%
50%
uberputeruser,
User Rank: Apprentice
12/8/2011 | 1:06:37 AM
re: Carrier IQ Data Collection Technically Legit, Say Researchers
Ok so we agree that Trever was off in his analysis, and I do agree that it should be opt in opt out, but this doesn't make it Carrier IQ's problem it makes it AT&T, Sprint, T-Mobile's <insert carriers="" here="" other=""> problem right? Just trying to understand the issue.
Also just because he saw the output of a volatile debug file in verbose debug mode does not mean that the software actually records it, it simply listens, but ignores anything it isn't set to use. In theory you could do this with a lot of software on phones or anything else for that matter.
Also there is never any analysis done on what is transmitted from the phone to the carrier. Sure the debug mode shows a lot but what is sent home, and in what format.
Also if the profiles used were set to match customer end user agreements with the carriers doesn't that mean that when you signed up you pretty much agreed? I am not saying it is that way, but i would think someone at the carriers legal department would have thought this out a little at least.
And for most of the tin hat waring crowd out there, if you wanted to "spy" on millions of devices, having it send information over the air would not be the way to do it. You would wait till it came in off the tower and then pull it from firewalls, and other monitoring devices. Plus you would need uber amounts of storage. I am talking like exabytes of data storage, which I doubt anyone has, other than the government. Just a thought..</insert>
k0nane
50%
50%
k0nane,
User Rank: Apprentice
12/7/2011 | 2:26:23 PM
re: Carrier IQ Data Collection Technically Legit, Say Researchers
We've all seen Trevor Eckhart's video. Mr. Rosenberg and I are in contact with Mr. Eckhart - the two of them, in fact, speak often. What displayed in Android debug logs and what is /actually collected by CIQ/ are two very different things.

It is also important to note that CIQ's implementation differs by OEM. Samsung implements its functions differently than HTC. What is collected and sent, though, is up to the carriers.

Having seen the framework-side source of CIQ - and I have, as many times as I've removed it - and on the basis of professional credibility, I completely trust Mr. Rosenberg's analysis. I believe it to be accurate. I suggest you and others who wish to dispute the facts without actually knowing them do more research, and read more closely.

And before you suggest I'm on CIQ's payroll... take a glance at my username. I distrusted CIQ /long/ before it was "cool". ;-) I still don't trust the software, and will continue to remove it. However, when there is reputable, factual analysis available, I can't and won't ignore it.
k0nane
50%
50%
k0nane,
User Rank: Apprentice
12/7/2011 | 2:22:12 PM
re: Carrier IQ Data Collection Technically Legit, Say Researchers
I, for one, completely agree with Mr. Rosenberg's comment. Opt-out should be allowed without question, and I believe that complete disclosure of what's reported, when, and how should be given.
Bprince
50%
50%
Bprince,
User Rank: Apprentice
12/7/2011 | 2:50:11 AM
re: Carrier IQ Data Collection Technically Legit, Say Researchers
How do people feel about the last comment by Rosenberg: should the company or carrier have informed users the software was on the device doing what it is doing and provided some sort of easy opt-out? Or should users expect that certain information is going to be gathered for diagnostic purposes and leave it at that?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
japura941
50%
50%
japura941,
User Rank: Apprentice
12/6/2011 | 11:26:11 PM
re: Carrier IQ Data Collection Technically Legit, Say Researchers
It appears all of these so-called Security Researchers admit to Carrier IQ performing:

1. secret GPS location tracking.
2. secret virtual keylogging through the Phone Dialer.
3. secret HTTPS capturing of username/passwords at the URL line.

Don't these so-called Security Researches immediately recognize the Security Risks when they see one these days? What happened to the professional Security Researchers?

Unauthorized GPS location tracking opens the gateway for unknown sources to track the whereabouts of you, your daughters, your sons, and your spouses with real-time GPS accuracy.

Unauthorized Virtual keylogging of entries through the Phone Dialer opens the gateway for unknown sources to collect all your Bank Account #s, Credit Cards #s, SSN #s, Pin Codes, and other confidential information you key in during Phone Calls that were not agreed upon within the Network Carrier to Consumer Contract Agreement.

Unauthorized capturing of HTTPS URL contents containing Username and Password credentials to High Security Systems opens the gateway for unknown sources to penetrate High Security Systems and Exploit every vulnerability possible that was not agreed upon within the Network Carrier to Consumer Contract Agreement.

Sound like the lawyers and attorneys are still likely going to win this one under the following violations:

1. Federal Wiretap Act,
2. the Stored Electronic Communications Act,
3. and the Federal Computer Fraud and Abuse Act.

unbelievable
50%
50%
unbelievable,
User Rank: Apprentice
12/6/2011 | 8:54:07 PM
re: Carrier IQ Data Collection Technically Legit, Say Researchers
These statements from supposed security experts are completely false. Carrier IQ is logging HTTP data as well as HTTPS and is capturing usernames/passwords. See the following video: http://youtu.be/T17XQI_AYNo The writers of this article are obviously being paid to spread misinformation over legitimate webpages to conceal the real truth and do damage control.

This is a complete invasion of our privacy and every single smartphone user should be outraged.
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.