Security Experts:

Carrier IQ Drama Continues, But is the Software Maker Evil as Accused?

Carrier IQ remains in the spotlight this week, as conflicting reports over the software and its usage have sparked lawsuits, additional research, and even speculation that it violates wiretap laws. Meanwhile, Carrier IQ maintains that it has done nothing wrong.

For those who don’t know, Carrier IQ develops software for designed for smartphones, which allows mobile carriers to identify and in some cases diagnose quality issues, such as dropped calls and battery drain. However, the issue is that the Carrier IQ software could be abused to collect massive amounts of information, based on the conclusions by researcher Trevor Eckhart, who examined Carrier IQ’s abilities.

Carrier IQ PrivacyFor example, in addition to the troubleshooting information, Carrier IQ can collect a wealth of information about the device’s user, including location, application use, Web browsing data, key press information from the dial pad, and more. Verizon has denied that it uses the software, but AT&T and Sprint have gone public with the fact that they do use it on Samsung and HTC devices.

Once word of the research spread, Carrier IQ threatened Eckhart, but retracted its legal threats once it felt the wrath of the public. Now the company has switched to denial mode.

Stephen Wicker, a Cornell professor of electrical and computer engineering, said that Carrier IQ’s software is everything he has been working against over the last 10-years. “It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention.”

Senator Al Franken made waves when he called on Carrier IQ to explain “...exactly what the software records, whether it is transmitted to Carrier IQ or any third party, and whether the data is protected against security threats that could risk the safety and privacy of American consumers.”  

While this was happening, class-action lawsuits were filed in California and Missouri, accusing Samsung, HTC, and Carrier IQ itself of violating federal wiretap laws. Sprint, T-Mobile, AT&T, and Apple were sued for the same reasons in Delaware’s federal court.

“Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions,” the company said in a statement.

“Carrier IQ acts as an agent for the [mobile] operators. Each implementation is different and the diagnostic information actually gathered is determined by our customers – the mobile operators. Carrier IQ does not gather any other data from devices.”

When it came to the claims of additional information gathering by Carrier IQ’s software, the company provided an answer to that as well. “While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.” When it comes to detection, consumers can use a number of free tools to determine if they are stuck with Carrier IQ. The first application comes from Lookout Labs, and a second one comes from Bitdefender.

Both applications will tell consumers if their device has Carrier IQ installed, but because Carrier IQ’s software is so embedded in the device itself, removal is nearly impossible, short of rebuilding the phone’s OS from scratch.

“Given the fact that the Carrier IQ reporting package is so tightly integrated with the device's firmware and that it runs in a highly privileged area of the OS, it can neither be uninstalled, nor blocked. The safest way to get rid of the Carrier IQ tool is to see if it is installed, then take the phone to the customer's carrier, and ask for removal. Manual intervention to disable it is not recommended,” commented Bitdefender’s Bob Botezatu.

Finally, researcher Dan Rosenberg released a breakdown on some of the hype surrounding the Carrier IQ drama, disputing some of the more outlandish claims when it comes to the software’s abilities. “Based on my research, CarrierIQ implements a potentially valuable service designed to help improve user experience on cellular networks. However, I want to make it clear that just because I do not see any evidence of evil intentions does not mean that what’s happening here is necessarily right,” he noted.  

Two things that Rosenberg determined from his research is that Carrier IQ cannot record SMS text bodies, Webpage contents, or email contend. Likewise, other than what is entered on the dialer, it cannot record any other keystrokes.

We’ll keep following the Carrier IQ drama and report on additional developments.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.