Carrier IQ: Mobile App Crap Must Stop
The Carrier IQ situation is an insane breach of trust for enterprises. And unless phone makers copy the Apple model, where carriers can't pre-install app crap, it will happen again.
You just can't make this stuff up. If I had told you six months ago to be very careful about entrusting corporate data to mobile carriers who pre-install app crap, because they would build spyware into phones, collect secure Web browsing information, and embed this software so deeply that you have to change the ROM to get rid of it, you would have written me off as a paranoid. Yet, that appears to be the situation with CarrierIQ, a carrier utility gone wild.
Like the Master Control Program in the '80s science fiction classic, "Tron," CarrierIQ collects data for an ostensibly harmless purpose: to help carriers improve the quality of their network and improve the user experience. Then, it goes crazy and tries to kill everyone. It may not be as bad in this case, but the trouble is, though Carrier IQ claims, "we are counting and summarizing performance, not recording keystrokes or providing tracking tools," third party analysis of Carrier IQ begs to differ.
More Security Insights
- Reality Check: Putting Next Generation Threat Detection to the Test
- Managing Threats in the Digital Age
Specifically, researcher Trevor Eckhart writes on his blog that the Carrier IQ application "is receiving not only HTTP strings directly from browser, but also HTTPs strings. HTTPs data is the only thing protecting much of the 'secure' Internet." Carrier IQ, realizing how damaging this revelation was, tried to squelch Eckhart through a cease-and-desist letter (giving him two whole days to respond, and threatening damages starting at $180K), but the Electronic Frontier Foundation came to the rescue. Carrier IQ relented after the assault from the EFF, and is now "deeply sorry for any concern or trouble" that the letter may have caused Eckhart.
From an enterprise perspective, this is massive. It's the Jerry Sandusky of mobility. It is an insane breach of trust.
[ Not up to date on Carrier IQ? See Carrier IQ Withdraws Legal Threat Against Security Researcher. ]
Enterprises have long put up with "app crap" on Windows platforms, and, then, on mobile platforms. On the Windows platforms, enterprises would shrug, wipe the machines, re-image them, and move on with work as usual. On mobile, enterprises believed that the app crap was benign enough. Wrong.
We all knew that spyware existed on PCs, but the big difference is that spyware and rootkits got installed by malicious third parties, not our trusted partners who get paid for services that they provide.
All of a sudden, Steve Jobs' perspective about who should control mobile device firmware doesn't seem to be such a bad idea.
Carrier IQ has no relationship, at all, with the enterprise. They've said that "we do not sell Carrier IQ data to third parties" or "provide real-time data reporting to any customer." But once you generate the data, it's there for the taking.
This year's Data Breach Investigations Report, co-sponsored by the U.S. Secret Service, and, ironically, a mobile provider, emphatically states that organizations need to eliminate unnecessary data collection (since it can and will be stolen.) As enterprise trusted partners, it's time for carriers to eliminate the middleman. Carrier IQ had no incentive at all to limit the type of data that it collects.
Because Carrier IQ is so carrier focused, it may have even come as something of a surprise to the Carrier IQ folks that they may have violated wiretap laws.
The whole model needs to change, or this incident will be repeated. Carriers currently control the phone, and work with third parties to build management software that they need. The third parties have no skin in the game in terms of the trust relationship with the enterprise. Frankly, in this case, if Carrier IQ's reputation becomes so tarnished that they can no longer sustain a viable business, they can pull up their tent stakes, change their name, and resume operations.
Well, good for them, but BAD for the enterprise, because the enterprise now needs to start investing the type of time that used to be reserved for Windows PCs, in order to re-image spyware-vulnerable smartphones. It's not a matter of just removing the software. InformationWeek contributor Mathew Schwartz told me Wednesday morning that "some deployments of Carrier IQ by the carriers have an 'off switch' that smartphone owners can trigger," but that he's also seen reports that it simply doesn't work.
Now contrast that to the simpler Apple model, where Apple delivers a phone with fundamental firmware, absent the app crap. Both Apple and the carriers have major skin in the game to preserve the trust of the enterprise. If carriers want to have management capabilities on the iPhone, they'll have to EXPLICITLY have permission from the enterprise.
This type of permission is generally granted by enterprises to service providers, but it's under contract, with explicit rules of engagement, and with incentives. ("We'll give you xyz points off of your bill if you use this"; or "wow, look at this management software that you can use, it's really useful, we only ask that you allow us to have this explicit dataset.")
One case in point is Spiceworks a free network management service that spells out how it will use your information. This type of win-win arrangement is already present in the mobility world: Verizon has successfully rolled out its "My Business" service to enterprise customers, in a scenario where Verizon gets to avoid the expense of mailing bills, and enterprise account managers get an easy-to-use interface.
The point is, though, that it's pretty obvious that the current "provider gets to thoroughly load the phone with untrusted app crap" model isn't going to fly anymore. There must be a check and balance. And I think that Apple's model of shipping a phone without carrier meddling is a good start. Let carriers woo the enterprise to get permission to install management software. But with mobile phones being an integral and essential part of enterprise infrastructure, software-without-permission must stop.