Tweet

For the past week or so, the Internet has been buzzing over Carrier IQ – an application that is apparently preinstalled in devices to monitor network and handset performance – and the privacy issues surrounding it.

There are several issues surrounding the reports about Carrier IQ, issues around the kind of information it gathers, the fact that it comes preinstalled in certain devices without asking for user consent, and about what users can do about it.

According to reports, Carrier IQ logs information such as sent or received text messages, Internet searches made, and phone numbers typed into devices. This routine was confirmed through the video posted by Trevor Eckhart, the researcher who initially raised the flag on Carrier IQ.

All Part of the Service

Let us consider the purpose of Carrier IQ: it is an application designed to monitor the performance of the network and the handset. The performance of the carrier can be measured by checking if the services they offer are served properly, services such as text messaging, calls, Internet connection, and others.

Based on this, we can say that collecting information related to the usage of the aforementioned phone features makes a whole lot of sense, or is even a necessity for carriers to effectively monitor and troubleshoot the services they offer.

We discussed this issue with Trend Micro Researcher Rik Ferguson, and he said that much of the content in Eckhart’s video was created in a verbose debugging mode and does not accurately represent how Carrier IQ has been deployed in the wild. According to the manufacturer, Carrier IQ does log keystrokes in SMS, but only to recognize keystroke sequences that act as local commands to Carrier IQ; for example “upload diagnostics now” while you’re on the phone to technical support. It also monitors incoming SMS, again for messages from the carrier which act as commands for Carrier IQ.

The manufacturer has stated that the app has been designed to discard all non-relevant material before it is even processed by the local app, let alone uploaded to the carrier and does not represent a significant risk to privacy.”

The reaction towards the issue shows how unaware people are of how dependent the functionality of a phone is on its carrier. It seems that people have forgotten that every text message, every call, and every Internet search they make involves the passing of their information to different entities – a routine that is all a part of its execution.

User Consent is a Must

We think that more than anything, the real issue about Carrier IQ is informed consent. Carrier IQ comes preinstalled on devices offered by the carriers who employ their service, is automatically executed, and is virtually undetectable by the user. People are very keen on being able to manage their privacy these days and very rightfully so.

For users to be unaware of the existence of such a service, and to have no option to either volunteer their information or not, will surely raise concerns regardless of the legitimacy of the service.

We believe that Carrier IQ is not a malicious program and its routines are all but required, but we also believe that users’ consent to the program’s installation and its routines is also vital.

Users should always be informed if their personal data is to be shared and with whom. They should of course be given the ability to manage that sharing, importantly on an “opt in” basis rather than “opt out”.

Potential Exploitability

Rik also said that perhaps one of the most interesting potential risks inherent in apps such as Carrier IQ is the monoculture/ecosystem it could present to criminals.

If an exploitable vulnerability were to be found in Carrier IQ, its built-in functionality and its huge installed base must be a very attractive prospect for criminals. It’s one of the biggest arguments against multiple carriers deploying the same code without giving the user a chance to decide whether or not they want that code on their device. Couple that with the exaggerated lag times introduced by carriers when rolling out updates, even just to their flavor of Android and the opportunity is multiplied.

Users interested in knowing whether Carrier IQ is installed on their device or not can do so using our tool, which can be downloaded in the Android Marketplace.