Lately there has been a lot of buzz about the Carrier IQ smartphone application calling it everything from a rootkit to a keylogger or spyware and even an app capable of tracking a phones every movement. Today new technical details about Carrier IQ have emerged from a few security researchers that refute the claims which were originally brought by analysis Trevor Eckhart.
Eckhart published his work several weeks ago in his blog and a 17-minute YouTube video. His conclusions, which purport to show that the Carrier IQ code is a rootkit and keylogger, triggered a firestorm of accusations, a least one class actions lawsuit (
the complaint pdf) and numerous calls by U.S. senators and congressmen for investigations.
Following his reports Carrier IQ, as well as several smartphone manufactures and carriers went on the defensive vehemently denying the claims that the application was malicious in nature. This prompted many security researchers to spring to action to get to the bottom of things.
Security consultant Dan Rosenberg, who this week
published the details of his analysis and Rebecca Bace, a long-time security researcher, and CEO of Infidel have both had the chance to review the inner workings of the applications sources and both have reached the same conclusion.
The Carrier IQ software "cannot" record SMS text messages, Web page contents or email contents; and it "cannot" record text keystrokes (though it does record which buttons are pressed in the dialer app when making a phone call).
"I am using the word 'cannot' literally, as in 'is not capable of, in the present tense, without being altered by modifying its code and installing a new version on the phone,'" Rosenberg writes. "It seems obvious to me that CarrierIQ could be modified in the future to perform nefarious actions: so could any application on your phone."
"I'm accustomed to being a professional skeptic, but so far everything I've seen is consistent with the assertions made by the [CIQ] engineering and development team -- they provide only that status information pursuant to diagnosing issues with the cellphone, and furthermore take pains to limit access to that information to the carriers controlling the solution," Bace says.
So what exactly is Carrier IQ?
The carriers have insisted that the software is being used only for network diagnostics purposes while the handset makers have claimed that they integrated Carrier IQ in their devices only because the carriers specifically asked them to. The analysis from the security researchers seems to back those claims.
Apparently the Carrier IQ program can receive limited information from the OS such as specific measurements and changes in state on the device, and in some cases location data. Running a carrier-specific "profile" that identifies the subset of metrics the carrier wants, Carrier IQ then sends those metrics, as encoded data over SSL, to the server for analysis.
"On receiving a submitted metric, CIQ evaluates whether that metric is 'interesting' based on the current profile installed on the device," Rosenberg writes. "Profiles dictate whether or not a piece of information is relevant for assessing a particular aspect of phone service, such as reception or battery usage.
"Note that the CarrierIQ application simply receives these metrics, collects them, and eventually uploads them to be analyzed by carriers [using the CIQ server application]," Roseberg notes. "All of the code responsible for determining which metrics are submitted to CIQ for processing is integrated into the phone's application stack by the handset manufacturers themselves."
In his blogpost Rosenberg detailed his findings with a list showing the metric ID, the metric itself, the data sent, and the "situation" that triggers the metric:
- browser page render event
- location event, which can use GPS or other location data
- HTTP request sent, or response received (the URL, request type, content length, and so on but not page contents)
- network state changes, sending an "internal identifier"
- a range of telephony and radio events (such as a dropped call, service issues, and so on)
- hardware event, sending data such as voltage, temperature, battery level
- key presses, but only in the phone dialer application
- miscellaneous GUI state changes, such as battery state
- starting or receiving a call or a failed call, which sends CallerID, state, and phone number
- application events such as a stopped app, or a new app, sending the application name
- questionnaire event, used when Carrier IQ is configured to present the user with a service questionnaire
- SMS message received or sent, which includes message length, phone, number, status, but no text from the body of the message.
So what does this all mean to me and my privacy?
To be totally honest at this time know one really knows for sure. Unfortunately, Carrier IQ and its clients aren't providing any explicit information for full disclosure about the information it tracks, the use of the data, how its stored or any real details. Until these questions are answered there remains a very real concern for individual privacy. As of present time, nobody is handling this quite well.
If the researchers are correct and the app only collected limited data then its really not as big a deal as it is being made out to be. If however, they aren't then it could be a real concern. For those of you that are staunch privacy buffs and absolutely want it gone there is hope. There are several applications out there for Android phones that will remove the application in its entirety.
- Voodoo Carrier IQ detector. Created by software developer Francois Simond (aka supercurio), this app from the Android Market
- Carrier IQ Detector. Built by mobile security software vendor Lookout Labs, this app--also available on the Android Market
- Bitdefender Carrier IQ Finder. Also available from the Android Market, this app runs on Android 2.1 and later
Related Articles: