Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Carrier IQ Drama Continues, But is the Software Maker Evil as Accused?

Carrier IQ remains in the spotlight this week, as conflicting reports over the software and its usage have sparked lawsuits, additional research, and even speculation that it violates wiretap laws. Meanwhile, Carrier IQ maintains that it has done nothing wrong.

Carrier IQ remains in the spotlight this week, as conflicting reports over the software and its usage have sparked lawsuits, additional research, and even speculation that it violates wiretap laws. Meanwhile, Carrier IQ maintains that it has done nothing wrong.

For those who don’t know, Carrier IQ develops software for designed for smartphones, which allows mobile carriers to identify and in some cases diagnose quality issues, such as dropped calls and battery drain. However, the issue is that the Carrier IQ software could be abused to collect massive amounts of information, based on the conclusions by researcher Trevor Eckhart, who examined Carrier IQ’s abilities.

Carrier IQ PrivacyFor example, in addition to the troubleshooting information, Carrier IQ can collect a wealth of information about the device’s user, including location, application use, Web browsing data, key press information from the dial pad, and more. Verizon has denied that it uses the software, but AT&T and Sprint have gone public with the fact that they do use it on Samsung and HTC devices.

Once word of the research spread, Carrier IQ threatened Eckhart, but retracted its legal threats once it felt the wrath of the public. Now the company has switched to denial mode.

Stephen Wicker, a Cornell professor of electrical and computer engineering, said that Carrier IQ’s software is everything he has been working against over the last 10-years. “It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention.”

Senator Al Franken made waves when he called on Carrier IQ to explain “…exactly what the software records, whether it is transmitted to Carrier IQ or any third party, and whether the data is protected against security threats that could risk the safety and privacy of American consumers.”  

While this was happening, class-action lawsuits were filed in California and Missouri, accusing Samsung, HTC, and Carrier IQ itself of violating federal wiretap laws. Sprint, T-Mobile, AT&T, and Apple were sued for the same reasons in Delaware’s federal court.

“Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions,” the company said in a statement.

“Carrier IQ acts as an agent for the [mobile] operators. Each implementation is different and the diagnostic information actually gathered is determined by our customers – the mobile operators. Carrier IQ does not gather any other data from devices.”

Advertisement. Scroll to continue reading.

When it came to the claims of additional information gathering by Carrier IQ’s software, the company provided an answer to that as well. “While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.” When it comes to detection, consumers can use a number of free tools to determine if they are stuck with Carrier IQ. The first application comes from Lookout Labs, and a second one comes from Bitdefender.

Both applications will tell consumers if their device has Carrier IQ installed, but because Carrier IQ’s software is so embedded in the device itself, removal is nearly impossible, short of rebuilding the phone’s OS from scratch.

“Given the fact that the Carrier IQ reporting package is so tightly integrated with the device’s firmware and that it runs in a highly privileged area of the OS, it can neither be uninstalled, nor blocked. The safest way to get rid of the Carrier IQ tool is to see if it is installed, then take the phone to the customer’s carrier, and ask for removal. Manual intervention to disable it is not recommended,” commented Bitdefender’s Bob Botezatu.

Finally, researcher Dan Rosenberg released a breakdown on some of the hype surrounding the Carrier IQ drama, disputing some of the more outlandish claims when it comes to the software’s abilities. “Based on my research, CarrierIQ implements a potentially valuable service designed to help improve user experience on cellular networks. However, I want to make it clear that just because I do not see any evidence of evil intentions does not mean that what’s happening here is necessarily right,” he noted.  

Two things that Rosenberg determined from his research is that Carrier IQ cannot record SMS text bodies, Webpage contents, or email contend. Likewise, other than what is entered on the dialer, it cannot record any other keystrokes.

We’ll keep following the Carrier IQ drama and report on additional developments.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.