Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    For the past week or so, the Internet has been buzzing over Carrier IQ – an application that is apparently preinstalled in devices to monitor network and handset performance – and the privacy issues surrounding it.

    There are several issues surrounding the reports about Carrier IQ, issues around the kind of information it gathers, the fact that it comes preinstalled in certain devices without asking for user consent, and about what users can do about it.

    According to reports, Carrier IQ logs information such as sent or received text messages, Internet searches made, and phone numbers typed into devices. This routine was confirmed through the video posted by Trevor Eckhart, the researcher who initially raised the flag on Carrier IQ.

    All Part of the Service

    Let us consider the purpose of Carrier IQ: it is an application designed to monitor the performance of the network and the handset. The performance of the carrier can be measured by checking if the services they offer are served properly, services such as text messaging, calls, Internet connection, and others.

    Based on this, we can say that collecting information related to the usage of the aforementioned phone features makes a whole lot of sense, or is even a necessity for carriers to effectively monitor and troubleshoot the services they offer.

    We discussed this issue with Trend Micro Researcher Rik Ferguson, and he said that much of the content in Eckhart’s video was created in a verbose debugging mode and does not accurately represent how Carrier IQ has been deployed in the wild. According to the manufacturer, Carrier IQ does log keystrokes in SMS, but only to recognize keystroke sequences that act as local commands to Carrier IQ; for example “upload diagnostics now” while you’re on the phone to technical support. It also monitors incoming SMS, again for messages from the carrier which act as commands for Carrier IQ.

    The manufacturer has stated that the app has been designed to discard all non-relevant material before it is even processed by the local app, let alone uploaded to the carrier and does not represent a significant risk to privacy.”

    The reaction towards the issue shows how unaware people are of how dependent the functionality of a phone is on its carrier. It seems that people have forgotten that every text message, every call, and every Internet search they make involves the passing of their information to different entities – a routine that is all a part of its execution.

    User Consent is a Must

    We think that more than anything, the real issue about Carrier IQ is informed consent. Carrier IQ comes preinstalled on devices offered by the carriers who employ their service, is automatically executed, and is virtually undetectable by the user. People are very keen on being able to manage their privacy these days and very rightfully so.

    For users to be unaware of the existence of such a service, and to have no option to either volunteer their information or not, will surely raise concerns regardless of the legitimacy of the service.

    We believe that Carrier IQ is not a malicious program and its routines are all but required, but we also believe that users’ consent to the program’s installation and its routines is also vital.

    Users should always be informed if their personal data is to be shared and with whom. They should of course be given the ability to manage that sharing, importantly on an “opt in” basis rather than “opt out”.

    Potential Exploitability

    Rik also said that perhaps one of the most interesting potential risks inherent in apps such as Carrier IQ is the monoculture/ecosystem it could present to criminals.

    If an exploitable vulnerability were to be found in Carrier IQ, its built-in functionality and its huge installed base must be a very attractive prospect for criminals. It’s one of the biggest arguments against multiple carriers deploying the same code without giving the user a chance to decide whether or not they want that code on their device. Couple that with the exaggerated lag times introduced by carriers when rolling out updates, even just to their flavor of Android and the opportunity is multiplied.

    Users interested in knowing whether Carrier IQ is installed on their device or not can do so using our tool, which can be downloaded in the Android Marketplace.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Pingback: 關於手機應用程式Carrier IQ的真正問題 | 雲端防毒是趨勢()

    • Kervin Alintanahin

      That is why we clearly indicated in the blog that users should be informed and have the option to “opt in” instead of an “opt out” option meaning that users should be notified first before “the installation of the software””using the software if it is already pre-installed”.

    • iBleedBlue

      Kervin, I think that you have missed the main issue here completely. You are correct, every SMS, web traffic, and phone call I placed does go through my carriers network and its content could potentially be accessed by the carrier. However, the fact that there is a third party application running on the device sending private information to someone other than my carrier is a breach of privacy. Are we ever notified at any point that this information is being collected by someone other than then carrier? or what what type of information is sent out behind the scenes? It is irrelevant if they (Carrier IQ) decide to use the data (or what data for that matter) or not. The fact still remains that the potential for someone other than who I am paying for the service is collecting my data using bandwidth from my data plan to transmit that information to a company I did not know even had access to my phone.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice