Is Carrier IQ a Serious Security Threat?

I've spent much of this year studiously trying to ignore Google's Android platform, because I feel that it's an insecure rip-off of competing smartphone platforms, especially Apple's iPhone. A little harsh, I know. But I'm just happy to have found a single point on which former Apple CEO Steve Jobs and I are so completely copacetic.

Of course, ignoring Android is hazardous these days: Google's mobile OS is quickly becoming the Windows of the smartphone world, and the way it quickly bypassed Apple's beloved iPhone should be a wakeup call for everyone. So I've slowly revved up my Android experience in recent days, and I now have an Android-based phone and tablet for testing purposes. I intend to fully test the next Android version, "Ice Cream Sandwich," when Google's next Nexus phone ships in the weeks ahead.

Aside from that, I was interested to see that Android was implicated in the Carrier IQ controversy. If you haven't been following along this latest tech industry news-of-the-year-of-the-week, Carrier IQ is software that's built into many mobile handsets, usually by a wireless carrier, in order to monitor the device and its network usage and report data back to the operator. It does this silently and without your consent, and the technology was outed last week by someone who's almost always erroneously described as a security researcher.

Trevor Eckhart is many things, perhaps, but he's not a security researcher. According to Eckhart's own website, he's a Windows Server systems administrator, as well as an expert in SQL Server, Citrix, and Cisco.

He's also clearly an Android enthusiast. Mr. Eckhart rocketed to fame and fortune last week -- well, at least fame -- by posting a video on You Tube in which he described the Carrier IQ software and what it was doing on his Android phone in which he described the Carrier IQ software and what it was doing on his Android phone. According to Eckhart, Carrier IQ is logging text messages, Google searches, and phone numbers, then sending this information to users' wireless carriers. He says the software runs silently in the background, cannot be stopped or detected by the user, and is thus essentially a "rootkit" and, more generally, a serious invasion of privacy.

His accusations set off an incredible torrent of news and recriminations, especially for Carrier IQ, the company that makes the eponymously named software. But I'm pretty sure almost all of this is baloney.

First of all, the Carrier IQ software isn't built directly into any smartphone OS, although most Android systems do seem to include it. (The big exception seems to be the Google Nexus devices, which are sold directly from that company.) Apple did previously include variations of Carrier IQ in older versions of iOS, used in its iPhone and iPad products, but no longer does so with iOS 5, the latest version.

Rafael Rivera, my Windows Secrets co-author and one of the technical experts who's behind the ChevronWP7 tools for Windows Phone, examined Microsoft's mobile OS last week to see whether he could detect the presence of Carrier IQ. He's been doing a lot of network traffic examination lately for unrelated reasons and says he saw nothing even closely resembling Carrier IQ. More tellingly, he downloaded several Windows Phone ROMs -- Verizon and Sprint-branded handsets are known to be particularly bad offenders -- extracted the files, and searched for references to Carrier IQ based on the information previously provided by Eckhart. He found nothing, and he posted a note to Twitter to that effect on November 29. Microsoft's Joe Belfiore confirmed the news via his own tweet a few days later, noting simply that "Windows Phones don't have CarrierIQ on them."

Which raises the question: Who is adding this software to the phones?

In almost every case, it's the wireless carriers. And although it's easy to see evildoing everywhere when it comes to these companies, it's also important to remember that monitoring phone usage is in fact in their best interests: Doing so can result in better device and network performance, much like the Customer Experience Improvement Program (CEIP) in Microsoft Windows and Office.

Well, with one crucial difference: CEIP is opt-in.

Oddly enough, the real victim here might ultimately be Carrier IQ. Yes, they make the software, but the carriers are the ones configuring it and using it. If you buy into the whole "guns don't kill people, people do" argument, then you might find a place in your heart to forgive Carrier IQ too. And certainly, that's the aim of their current PR initiative, which is trying to wipe away all the bad vibes generated by Eckhart and his video.

"Our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video," says Carrier IQ's statement. "We know which applications are draining your battery, but do not capture the screen ... The data we gather is transmitted over an encrypted channel and secured within our customers’ networks or in our audited and customer-approved facilities."

Meanwhile, lawsuits have already been filed against a number of mobile industry companies, including Apple, AT&T, Carrier IQ, HTC, Motorola Mobility, Samsung, Sprint Nextel, and T-Mobile USA. And some are seeking class action status. If Eckhart was hoping to make a difference, I guess you could say he has.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.