Rich Fiscus
5 Dec 2011 15:57
It appears the most serious allegations about Carrier IQ, the diagnostics software secretly installed and run with root access on a variety of smartphones, may be unfounded.
Carrier IQ comes pre-installed on a number of smartphones, most notably Sprint and AT&T branded Android smartphones, and is sold as a diagnostic tool to help carriers monitor problems with their mobile networks.
The software's existence was discovered last month by a security researcher named Trevor Eckhart, who calls it a rootkit.
While Carrier IQ disagrees with that description, there appears to be no question it is installed without the user's knowledge or permission and runs secretly (hidden from user view) with privileged access. That's the basic definition of a rootkit.
Further revelations by Eckhart include Carrier IQ having the capability of logging every keystroke the user makes and secretly reporting the contents of SMS messages and encrypted communications to the carrier.
Another security researcher, Dan Rosenberg has performed his own analysis of the Carrier IQ implementation on a Samsung Epic 4G Touch and concluded Eckhart's conclusions were in error. According to Rosenberg, claims that Carrier IQ has a keylogger or is capable of sending carriers the contents of SMS messages or webpages are completely false, at least for the Samsung phone he looked at.
He wrote:
- CarrierIQ cannot record SMS text bodies, web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so. There is simply no metric that contains this information.
- CarrierIQ (on this particular phone) can record which dialer buttons are pressed, in order to determine the destination of a phone call. I?m not a lawyer, but I would expect cell carriers already have legal access to this information.
- CarrierIQ (on this particular phone) cannot record any other keystrokes besides those that occur using the dialer.
- CarrierIQ can report GPS location data in some situations.
- CarrierIQ can record the URLs that are being visited (including for HTTPS resources), but not the contents of those pages or other HTTP data.
I am using the word ?cannot? literally, as in ?is not capable of, in the present tense, without being altered by modifying its code and installing a new version on the phone?. It seems obvious to me that CarrierIQ could be modified in the future to perform nefarious actions: so could any application on your phone. Keep in mind CIQ is integrated by the OEM and to my knowledge has never been modified after installation, except in terms of profiles, which simply dictate which subset of available metrics defined by the OEM are collected.