Security researchers who have investigated the inner workings of the Carrier IQ software and its capabilities say that the application has some powerful, and potentially worrisome capabilities, but that as it’s currently deployed by carriers it doesn’t have the ability to record SMS messages, phone calls or keystrokes. However, the researchers note that there is still potential for abuse of the information that’s being gathered, whether by the carriers themselves or third parties who can access the data legitimately or through a compromise of a device.
Carrier IQ, whose software is at the center of the ongoing controversy, supplies its application to mobile carriers who in turn implement it on the handsets at the time that they install their specific, custom package on each device before delivery. The company has responded to claims that its software is capable of recording a variety of user interactions and data in the device by saying that the information it gathers is just diagnostic data and keystrokes, texts and other information are not recorded or sent to carriers for analysis. Company officials also have said that they know the data that the software collects is valuable and could be used for other purposes.
Researchers who have reverse-engineered the application on various Android devices say that what they’ve found generally supports what Carrier IQ has said, but that there’s more to it than that.
“Based on my research, Carrier IQ implements a potentially valuable service designed to help improve user experience on cellular networks. However, I want to make it clear that just because I do not see any evidence of evil intentions does not mean that what’s happening here is necessarily right. I believe the following points need to be addressed. Note that most of the burden in this situation falls not on Carrier IQ but on the handset manufacturers and carriers, who are ultimately responsible for both collecting this information and establishing service agreements with consumers,” researcher Dan Rosenberg wrote in a detailed analysis of the Carrier IQ application deployed on a Samsung Epic 4G Touch.
Rosenberg went in and detailed every one of the “metrics” that Carrier IQ’s software has the ability to collect. A metric is a specific piece of information that the software collects on a device. Each carrier can define which metrics it’s interested in through the implementation of a profile on the device, Rosenberg said. He enumerated more than three dozen separate metrics in his analysis, and found that, for example, there are metrics that can detect the message length and status of a text message, they can’t record the contents of the message body. Nor can the software detect and record the contents of a specific Web page that a user visits, but can detect the URL in some cases.
Jon Oberheide, a security researcher who has done a lot of work on Android devices, also analyzed several versions of the Carrier IQ software and came to many of the same conclusions that Rosenberg did. He found that the software has the ability to record some information, but that doesn’t mean that it’s actually doing so. That part is up to each individual carrier. However, he says that the ability to collect that data is a dangerous thing.
“There is a lot of capability to collect sensitive data, which is dangerous in any scenario,” Oberheide said in an interview. “It’s up to the carriers to use the software as they choose, but you could sort of put some blame on Carrier IQ. But they put it on the carriers.”
In his analysis, Oberheide found that Carrier IQ’s software has a pretty large code base on Android devices, which could actually make it a target for attackers.
“Carrier IQ does hook into the system in a number of ways and has a lot of native code, so it’s a non-trivial attack surface,” he said. “I wouldn’t be surprised if pretty soon people start digging into the code base and start finding vulnerabilities in the software itself.”
Whatever else the Carrier IQ software is, Oberheide said, it definitely is not stealthy or quiet about what it’s doing.
“It’s not trying to hide. If it’s a rootkit, it’s the least stealthy one ever,” he said.