Tuesday, December 6, 2011

Carrier IQ Spyware


via Schneier on Security by schneier on 12/5/11

Spyware on many smart phones monitors your every action, including collecting individual keystrokes. The company that makes and runs this software on behalf of different carriers, Carrier IQ, freaked when a security researcher outed them. It initially claimed it didn't monitor keystrokes -- aneasily refuted lie -- and threatened to sue the researcher. It took EFF getting involved to get the company to back down. (A good summary of the details ishereThis is pretty good, too.)

Carrier IQ is reacting really badly here. Threatening the researcher was a panic reaction, but I think it's still clinging to the notion that it can keep the details of what it does secret, or hide behind such statements such as:
Our customers select which metrics they need to gather based on their business need--such as network planning, customer care, device performance--within the bounds of the agreement they form with their end users.
Or hair-splitting denials it's been giving to the press.
In response to some questions from PCMag, a Carrier IQ spokeswoman said "we count and summarize performance; we do not record keystrokes, capture screen shots, SMS, email, or record conversations."

"Our software does not collect the content of messages," she said.

How then does Carrier IQ explain the video posted by Trevor Eckhart, which showed an Android-based phone running Carrier IQ in the background and grabbing data like encrypted Google searches?

"While 'security researchers' have identified that we examine many aspects of a device, our software does not store or transmit what consumers view on their screen or type," the spokeswoman said. "Just because every application on your phone reads the keyboard does not make every application a key-logging application. Our software measures specific performance metrics that help operators improve the customer experience."

The spokeswoman said Carrier IQ would record the fact that a text message was sent correctly, for example, but the company "cannot record what the content of the SMS was." Similarly, Carrier IQ records where you were when a call dropped, but cannot record the conversation, and can determine which applications drain battery life but cannot capture screen shots, she said.
Several things matter here: 1) what data the CarrerIQ app collects on the handset, 2) what data the CarrerIQ app routinely transmits to the carriers, and 3) what data can the CarrierIQ app transmit to the carrier if asked. Can the carrier enable the logging of everything in response to a request from the FBI? We have no idea.

Expect this story to unfold considerably in the coming weeks. Everyone is pointing fingers of blame at everyone else, and Sen. Franken has asked the various companies involved for details.

One more detail is worth mentioning. Apple announced it no longer uses CarrierIQ in iOS5. I'm sure this means that they have their own surveillance software running, not that they're no longer conducting surveillance on their users.

No comments: