What risk does Carrier IQ pose, exactly?

Question

There has been a lot of discussion about Carrier IQ, monitoring software that is pre-installed on many Android phones. Many allegations have been thrown out.

My questions: What exactly does Carrier IQ do? What information does/doesn't it record on your device? What information does/doesn't it transmit off your device? Could it transmit additional information if Carrier IQ or the carrier transmitted instructions to it to turn on broader logging? More generally, what exactly is the risk posed by Carrier IQ, if any? How much should Android users be concerned? Can we gather a summary of what is known about Carrier IQ?

For instance, I have seen claims that the Carrier IQ information learns about things like keystrokes, text messages, and other personal information, but it does not transmit them (in its default configuration) off the phone. OK, as far as that goes. Does it store this information in any log file or any other persistent storage on the phone? And do Carrier IQ or the carrier or phone manufacturer have the ability to sent additional instructions/commands to the Carrier IQ application, post-facto, to enable it to start logging this information or communicate it off the phone?

Answer 1

Let's break it down by category.

What information does Carrier IQ monitor? Trevor Eckhart says (depending on the phone manufacturer) it receives each key pressed/tapped, the location of any tap on the screen, the contents of all text messages received, the name of each app that you open or switch focus to, information about each call you receive, your location each time location is updated/queried, the URL of each web page visited (including URL parameters; yes, even for https URLs), and possibly other information about each HTTP request. I have not seen anyone dispute these claims.

Note that this is information that is monitored by the Carrier IQ application; that doesn't necessarily mean that the application does anything with the data, stores it, or allows it to leave your phone.

What information does Carrier IQ record on your phone? It is hard to get clear information on what information might be stored in your phone on persistent storage or log files. Does Carrier IQ log the information that it receives? I don't know.

Carrier IQ says that their software "does not record, store or transmit the contents of SMS messages, email, photographs, audio or video", and they have said "we're not storing" keystrokes and that they "do not record text messages". However, they also say that they do "record where you were when [a] call [is] dropped, and the location of the tower being used". Lookout says "it doesn't appear that they are sending your keystrokes straight to the carriers". Dan Rosenberg seems to suggest that the Carrier IQ application is "recording events like keystrokes and HTTPS URLs to a debugging buffer", but it is not clear to me where that debugging buffer is stored (just in the memory of the Carrier IQ application? or on persistent storage of some sort?), and it is always possible I have misinterpreted his statement or read too much into a brief phrase. Dan Rosenberg subsequently elaborated, finding that on one particular phone, CarrierIQ can record URLs visited (including for HTTPS), GPS location data, and phone numbers, but not all keystrokes, not the contents of SMS texts, and not the contents of web pages browsed.

CarrierIQ has subsequently clarified that their software does record "the telephone numbers the SMSs are from and to".

Trevor Eckhart said that the Carrier IQ software on his HTC phone recorded a lot of personal data (keys pressed, SMS texts, etc.) into a debugging log file, so this information is stored in the clear on his phone. Carrier IQ has subsequently confirmed this finding. Carrier IQ says this is because the debug capabilities remained switched on; it sounds like they are blaming HTC for not deleting or disabling the debugging code in the Carrier IQ software. It is not known whether a similar problem may be present on phones from other manufacturers, or if this is limited to just HTC phones.

What information is transmitted to carriers? Carrier IQ says that only diagnostics information and other statistics leave your phone: "For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen." Dan Rosenburg says that the software can also report your location (GPS) in some situations. Carrier IQ has confirmed that their software captures phone numbers dialed and received and all URLs visited, if enabled by the carrier.

However, Carrier IQ also says that the amount of information that is sent to carriers is up to the carrier, and agrees that the Carrier IQ application has the capability to transmit what applications are being used and what URLs the user visits. Some of the carriers have not been very forthcoming: e.g., Sprint says they "collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool" (not very specific); AT&T says their use of Carrier IQ complies with their published privacy policies, but hasn't said anything more. Other carriers have been more explicit: Verizon and RIM say they don't use Carrier IQ and they don't pre-install it on any of their phones. Apparently T-Mobile uses Carrier IQ, but I have not yet found a statement from them.

Carrier IQ has subsequently disclosed a bug in their code which may cause it, under certain special circumstances, to capture the content of text messages and inadvertently transmit it to the carrier, as the result of an unintended bug in their code.

How is the information transmitted to carriers? Carrier IQ says says that any information that is transmitted off the phone is sent over an encrypted channel to the carrier. I haven't seen anyone dispute this statement.

Can carriers or others command the application to change any of this? I don't know. I can't tell if there is a way that carriers or Carrier IQ can send a command to the Carrier IQ application to cause it to collect, record, or communicate more information than it does in its normal operating mode.

Trevor Eckhart says that carriers can "push" a data collection profile to a phone. He also says that the profile specifies what data is collected, stored, and transmitted off the phone by the Carrier IQ application, and that any data that is received by the Carrier IQ application is potentially eligible to be transferred off the device, if the profile specifies that. He suggests that a "portal administrator" (at the carrier, presumably) thus has the ability to target a particular subscriber, push to them a profile that causes the phone to transmit a broad variety of information (keys pressed, contents of text messages, URLs, etc.) off the phone, and then can view this information. If this is accurate, it suggests that, even if the application does not normally transmit this information off the phone, the carrier has the ability to force the application to do so. It is not clear if there is any notification to the user or any attempt to gain consent before this occurs. I have not seen any independent analysis of these claims.

CarrierIQ has subsequently confirmed that it is possible to send control messages to the CarrierIQ software via SMS, to command the CarrierIQ software to perform certain tasks. CarrierIQ has not clarified what is the full range of commands that can be sent, or how the CarrierIQ software authenticates these command SMSs to make sure they are not exploited by attackers, so it is difficult to assess the risks associated with this feature.

Other information sources. Wikipedia has a page on Carrier IQ, which includes some updates, a list of carriers and handset manufacturers who do or don't deploy Carrier IQ, some reactions from policymakers, and lawsuits against Carrier IQ.

Answer 2

Another aspect that has not been adequately addressed by CarrierIQ or their customers (the network providers) is what is effectivly stored in memory by the CarrierIQ rootkit and how. All we know from the CarrierIQ marketing person interviewd is that between 200K and 400K of data is sent on a regular basis, but no indication has been given as to if this is compressed in some way (quite likely) or not.

There are two basic places the application can hold the data collected, in it's process space (heap) or in a file system of some form (RAM, FLASH) prior to sending some or all of it off the device (oh and the reports of this being "encrypted" is a bit misleading, as it appears to be only the basic "over the air" network encryption (A5.x). Which is known to be broken and for which eavesdropping equipment is available from many places (Privacy International recently relesaed a report on this which the well respected investigative journalist Duncan Campbell has commented on).

I suspect as the CarrierIQ rootkit was (supposadly) developed as a developers diagnostic tool the level of information in the process space is very large and very intrusive on privacy, likewise the contents of the log file, such is the nature of data required for deeplevel diagnostics.

So the question arises of "what can other apps or malware" see of this "on the phone data". Obviously if other software can see into the process space anything and everything the CarrierIQ rootkit collects irrespective of later filtering is available.

Likewise the log file, the only difference is how "processed or filltered" the contents of the file are.

In both cases the accessability to the data via an application is firstly dependent on the process and file system access controls, secondly on the ability to know what the coresponding meta-data is for each item to turn it from bits back to information. I've seen little or no information with regards to this.

However if the malware software is "in or below the OS" as either a rootkit or device driver etc only the "meta-data" would act as a constraint.

So if I was a malware writer the CarrierIQ rootkit data would be my first port of call as it is a much easier route for me to get at, and much much less likely to cause the OS or user apps to hang than if I tried adding my own hooks to extract the same data.

There is then the question of what can a person with access to the network providers infrastructure do without installing anything on a targets phone?

The answer is anything and often considerably more than the network provider can.

An example of this was the "mobile phone hacking" of Greek Government and other officials prior and during the last Olympic games held there. The unknown attackers installed "Network Test and Monitoring" software on the network switches produced by the switch manufacturer but that the network provider did not have. This software was then addapted/used to mount the surveillance operation in a major way. Apparently it only came to light when billing discrepancies occured long after the event.

So in some respects CarrierIQ's rootkit is the ideal front end for anyone wishing for whatever reason to mount significant surveillance on individuals without their, the network provider or CarrierIQ's knowledge.

Answer 3

This video (and aricle) was posted on Wired. In addition to the answer by @D.W., I'd like to underline that apparently there is absolutely no possibility to stop the app from running (even if the user is tech-savvy enough to find and kill an app) and neither has the user any possibility whatsoever to opt out. Hence, the assertion that it is a 'rootkit', which has also stirred some violent reactions. I find it is a strong violation of privacy, whether the data is actually sent to the service provider or not. I don't know if it is possible to hack CarrierIQ into transmitting data to a malicious 3rd party, but if so, it could be the ideal injection point for malicious code, since it gives access to literally everything on the phone. No wonder it has been kept secret.

Answer 4

CarrierIQ poses the risk of all a phone's data being exposed to the network provider and anyone savvy enough to write software to connect and control it. However, one apparently overlooked risk is that EVERY phone passes 100% of its data, whether it's voice calls, sms, http traffic or whatever, to the network, which could record that data and use it in any way. That's how mobile phone's work - when you send an sms to someone, it doesn't go directly from your phone to the recipient's; it first passes through your service provider and possibly through your recipient's provider. Perhaps your user agreement says they won't capture that data, but if they put a spyware on your phone, who's to say they aren't also recording the data you willingly send them?