Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Carrier IQ Drama Continues, But is the Software Maker Evil as Accused?

Carrier IQ remains in the spotlight this week, as conflicting reports over the software and its usage have sparked lawsuits, additional research, and even speculation that it violates wiretap laws. Meanwhile, Carrier IQ maintains that it has done nothing wrong.

Carrier IQ remains in the spotlight this week, as conflicting reports over the software and its usage have sparked lawsuits, additional research, and even speculation that it violates wiretap laws. Meanwhile, Carrier IQ maintains that it has done nothing wrong.

For those who don’t know, Carrier IQ develops software for designed for smartphones, which allows mobile carriers to identify and in some cases diagnose quality issues, such as dropped calls and battery drain. However, the issue is that the Carrier IQ software could be abused to collect massive amounts of information, based on the conclusions by researcher Trevor Eckhart, who examined Carrier IQ’s abilities.

Carrier IQ PrivacyFor example, in addition to the troubleshooting information, Carrier IQ can collect a wealth of information about the device’s user, including location, application use, Web browsing data, key press information from the dial pad, and more. Verizon has denied that it uses the software, but AT&T and Sprint have gone public with the fact that they do use it on Samsung and HTC devices.

Once word of the research spread, Carrier IQ threatened Eckhart, but retracted its legal threats once it felt the wrath of the public. Now the company has switched to denial mode.

Stephen Wicker, a Cornell professor of electrical and computer engineering, said that Carrier IQ’s software is everything he has been working against over the last 10-years. “It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention.”

Senator Al Franken made waves when he called on Carrier IQ to explain “…exactly what the software records, whether it is transmitted to Carrier IQ or any third party, and whether the data is protected against security threats that could risk the safety and privacy of American consumers.”  

While this was happening, class-action lawsuits were filed in California and Missouri, accusing Samsung, HTC, and Carrier IQ itself of violating federal wiretap laws. Sprint, T-Mobile, AT&T, and Apple were sued for the same reasons in Delaware’s federal court.

“Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions,” the company said in a statement.

“Carrier IQ acts as an agent for the [mobile] operators. Each implementation is different and the diagnostic information actually gathered is determined by our customers – the mobile operators. Carrier IQ does not gather any other data from devices.”

Advertisement. Scroll to continue reading.

When it came to the claims of additional information gathering by Carrier IQ’s software, the company provided an answer to that as well. “While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.” When it comes to detection, consumers can use a number of free tools to determine if they are stuck with Carrier IQ. The first application comes from Lookout Labs, and a second one comes from Bitdefender.

Both applications will tell consumers if their device has Carrier IQ installed, but because Carrier IQ’s software is so embedded in the device itself, removal is nearly impossible, short of rebuilding the phone’s OS from scratch.

“Given the fact that the Carrier IQ reporting package is so tightly integrated with the device’s firmware and that it runs in a highly privileged area of the OS, it can neither be uninstalled, nor blocked. The safest way to get rid of the Carrier IQ tool is to see if it is installed, then take the phone to the customer’s carrier, and ask for removal. Manual intervention to disable it is not recommended,” commented Bitdefender’s Bob Botezatu.

Finally, researcher Dan Rosenberg released a breakdown on some of the hype surrounding the Carrier IQ drama, disputing some of the more outlandish claims when it comes to the software’s abilities. “Based on my research, CarrierIQ implements a potentially valuable service designed to help improve user experience on cellular networks. However, I want to make it clear that just because I do not see any evidence of evil intentions does not mean that what’s happening here is necessarily right,” he noted.  

Two things that Rosenberg determined from his research is that Carrier IQ cannot record SMS text bodies, Webpage contents, or email contend. Likewise, other than what is entered on the dialer, it cannot record any other keystrokes.

We’ll keep following the Carrier IQ drama and report on additional developments.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.