The Mountain View, Calif., maker of mobile phone data analysis software for carriers has been pilloried the length and breadth of the World Wide Web for the better part of a week, accused by a growing chorus of people of selling smartphone spyware in the form of a rootkit and keylogger to mobile carriers. The accusations and outrage hinge on a YouTube video posted by a 20-something systems administrator, Trevor Eckhart, purporting to show the smartphone program recording keystrokes and seeing SMS text messages. Yet Eckhart failed to use some basic tools that could have confirmed what he, and many others, think he saw.
The controversy prompted calls to Canadian wireless carreirs who said Friday they have nothing to do with the software. “Bell (Mobility) doesn’t install or support Carrier IQ or similar programs,” said a company spokesman in an email. “Telus doesn’t use Carrier IQ software on any of its devices,” said a Telus representative. “We don’t request or activate Carrier IQ and our networks don’t support it,” said Rogers Communications.
Meanwhile, Computerworld U.S. reported that Carrier IQ and two handset makers are being sued in California and Missouri. One suit alleges unlawfully interception of communications while the other alleges data was collected from a phone without the users’ permission or knowledge
Eckhart’s 17-minute YouTube video is the basis for allegations that Carrier IQ is spyware, and that — whatever its stated purpose is — its real goal (and the goal of the carriers using it) is to watch, capture and exploit detailed private information about smartphone users. In the tidal wave of news stories, blog posts and Web comments, Eckhart’s video is accepted unquestioningly as “proof” that Carrier IQ, in the hands of carriers, is already carrying out a surreptitious, pervasive surveillance campaign or has the capacity to do so.
“The interpretation of the video is inaccurate,” says Dan Rosenberg, vulnerability research practice lead for Virtual Security Research, a Boston-based consultancy. For the firm, Rosenberg specializes in application and network penetration testing and code review, sometimes with reverse engineering code. He also does security research in these areas, especially on the Linux kernel and the Android operating system.
“The video depicts that Carrier IQ does react to events like typing a key,” Rosenberg says. “Trevor jumped to the conclusion that this means they are recording all your keystrokes and sending them to the carrier. That would be a major violation of privacy. But that’s not what’s happening based on my analysis.”
Rosenberg had known of Carrier IQ, and in early November, before Eckhart released his conclusions, began to reverse engineer it. “It’s installed by default on smartphones, and no one has the ability to remove it, and it does collect data and send it to carriers,” he says. “There’s a potential for abuse, and I wanted to analyze it and understand it.”
He copied the Carrier IQ software from several HTC and Samsung Android phones and loaded it into a disassembler to expose and read the machine instructions. What he found was a large, powerful program with a lot of capabilities. Rosenberg says he did not make an exhaustive study of all the program’s features. But after Eckhart’s video was posted, Rosenberg refocused his attention on the alleged keylogging and transmitting features.
Eckhart’s video actually shows debugging output, Rosenberg says, which is intended to let developers go through a program line by line to iron out problems. As such, displayed in a debugging buffer, these details are not stored on disk or collected as data, he says.
“They are not actually storing keystroke data at any point, anywhere,” Rosenberg says. “Much less sending the data back to carriers.”
Temporarily putting this information in a debugging buffer is a questionable practice, he says. “They’re printing debugging statements that show keystroke data,” Rosenberg says. “That’s not an immediate threat, but it’s sort of like why you don’t want to write down your password: so you don’t have sensitive data lying around somewhere. But that [practice] is not like logging data and sending it to carriers.”
Rosenberg says he has talked with Eckhart several times, and specifically about Eckhart’s interpretation of what the debugging buffer revealed. Rosenberg declined to go into details about those conversations, but did say, “I’ve debated this with him. Originally, he disagreed with me. But nothing on our private conversation provided me with evidence to the contrary.”
Rosenberg’s hands-on experience with Carrier IQ seems to be the most detailed yet on public view. And it lines up with reservations or criticisms levied against Eckhart’s interpretation of Carrier IQ as a keylogger that’s sending SMS message contents and other information back to the mobile carriers.
John Graham-Cumming is vice- president of engineering for software vendor Causata, as well as a programmer, blogger and author with a doctorate in computer security. In a recent blog post he noted some make extravagant claims against Carrier IQ, including allegations that passwords, contents of text messages and more are recorded and transmitted to wireless operators.
“That would be worrying if true, but if you watch the ‘security researcher’s’ video you’ll find that nowhere does he make the claim that [the] content that the application sees is leaving the device,” Graham-Cumming wrote. “And from the video he doesn’t appear to try. At no point does he enter a debugger and look inside the CarrierIQ [smartphone] application, and at no point does he run a network sniffer and look at what data is being transmitted to [the server component of] CarrierIQ.
“And I don’t understand why,” he continued. “It would be a huge story if millions of smartphones worldwide were secretly sending the content of text messages to a US-based company. But that’s not the story here because the ‘security researcher’ does not appear to have tried to find out.”
We asked Graham-Cumming via email if this was a complex process. “It would not be complex for a competent Android programmer to use a debugger to examine the CIQ application and/or sniff its network traffic to see what it is doing,” he says via email.
Based on what he saw in Eckhart’s video, Graham-Cumming says Carrier IQ’s software apparently can see at least some user activities. “But until I understand what they are doing with the data and what leaves my phone I’m not going to panic,” he says. “For example, my antivirus sees everything on my machine, all my mail, all my files, all my web browsing, but I’m ok [with that] because I trust what it does with the data.”
“That’s a good analogy,” agrees Rosenberg. “It’s absolutely true that antivirus has just as broad access to your system.”
Yet there is a critical difference, he says. “What makes [Carrier IQ] different is that this program was not installed by the users, and they weren’t given the chance to make a trust decision,” Rosenberg says. “Presumably, your antivirus program is software that you’ve installed or have a trust relationship with the vendor.”
“There’s one good thing to come out of this,” Rosenberg says. “A greater awareness that this software exists. We need more awareness of what it can do and the ability to opt out of it.”
Apple Inc. seems to have taken a different approach than Android vendors HTC and Samsung with its integration of Carrier IQ. Apple this week announced that it had discontinued Carrier IQ support with the release of iOS 5 some weeks ago. Grant Paul, a well-known iOS programmer, analyzed the program in a blog post, and noted what appear to be several differences from the Android implementation, at least on the HTC handset used by Eckhart.
For one thing, the user can disable Carrier IQ in earlier iOS versions by turning off “Diagnostics and Usage” in “Settings.” For another, though the program “does access a reasonable amount of information,” that information seems limited to telephony information, such as your phone number, carrier and country, active phone numbers (though Paul didn’t see evidence that the dialed number was visible) and the user’s location if the user enabled the iOS Location Services. He added: “Be sure to note that I have not confirmed which, if any, of this data is sent remotely.”
“Importantly, it does not appear the [Carrier IQ] daemon has any access or communication with the UI layer, where text entry is done,” Paul concluded. “I am reasonably sure it has no access to typed text, web history, passwords, browsing history, or text messages, and as such is not sending any of this data remotely.”
What’s unclear is whether this “no access” to the UI layer is distinctive to the iOS implementation of Carrier IQ or, as the vendor seems to be saying, a characteristic of the application itself regardless of the operating system on which it runs.
In what seems to be the first public interview granted by Carrier IQ executives, to John Paczkowski of AllThingsD, the software vendor finally provided a bit more detail on what the program does and doesn’t do.
“While CIQ might ‘listen’ to a smartphone’s keyboard, it’s listening for very specific information,” Paczkowski writes, summarizing the claims. “Company executives insist it doesn’t log or understand keystrokes. It’s simply looking for numeric sequences that trigger a diagnostic cue within the software. If it hears that cue, it transmits diagnostics to the carrier.”
Paczkowski notes that CIQ nevertheless has the ability to capture a wide variety of user data. So, he asks, who decides what data is collected?
“The carriers. They decide what’s to be collected and how long it’s stored — typically about 30 days. And according to Carrier IQ, the data is in their control the whole time. ‘It’s the operator that determines what data is collected,’ says Carrier IQ CEO Larry Lenhart. ‘They make that decision based on their privacy standards and their agreement with their users, and we implement it.'”
In a statement issued Dec. 1, Carrier IQ repeated its assertions that the software does not log keystrokes. This time it added a comment by security expert Rebecca Bace, co-founder of Infidel, an information security consultancy: “”Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user’s content are erroneous.”
No other details were provided. As of this posting, Bace had not replied to an email request for more information.