Featured Mobileburn Video

Researcher says Carrier IQ is not evil, has limited snooping capabilities

News by Michael Oryl on Tuesday December 06, 2011.

carrier news · michael oryl

Sponsored links, if any, appear in green.

According to yet another security researcher, the much-maligned Carrier IQ "snooping" software that is found in many smartphones is not evil, and is not guilty of many of the privacy crimes ascribed to it. Dan Rosenberg of application security company VSR claims to have extensively dissected the inner workings of the Carrier IQ software on a Samsung Epic Touch 4G for Sprint.

In short, Rosenberg finds that the application does not, and could not, record the bodies of SMS and email messages, the contents of web pages, or similarly personal information - in spite of earlier reports. Many informational items, such as location information and battery status, are indeed being sent, but are largely benign from Rosenberg's viewpoint.

Rosenberg reports that Carrier IQ can, indeed, log keystrokes, but that it can only do so in the dialer application. Since carriers already have access to the phone numbers being dialed from any given phone, he concludes that this is a non-event.

There are some items that are still cause for some alarm, though. While the contents of web pages are not being sent, the URLs accessed by smartphone users, including secure URLS, can be collected. Likewise, the names of applications that are running on the phone can be transmitted to the carrier via the Carrier IQ application, meaning that a carrier could potentially identify users making use of unauthorized tethering and hotspot applications.

Rosenberg sums up his findings in the following list, copied from his blog post:

    - Carrier IQ cannot record SMS text bodies, web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so. There is simply no metric that contains this information.
    - Carrier IQ (on this particular phone) can record which dialer buttons are pressed, in order to determine the destination of a phone call. I'm not a lawyer, but I would expect cell carriers already have legal access to this information.
    - Carrier IQ (on this particular phone) cannot record any other keystrokes besides those that occur using the dialer.
    - Carrier IQ can report GPS location data in some situations.
    - Carrier IQ can record the URLs that are being visited (including for HTTPS resources), but not the contents of those pages or other HTTP data.

Rosenberg goes on to suggest that what carriers and handset manufacturers need to do is be more transparent with what data is being collected, and provide users a means to opt-out. He also says that he and his company have never had a professional relationship with Carrier IQ, but that the company read his report and verified its accuracy.

blog comments powered by Disqus

About the author

Michael Oryl
Michael is the Philadelphia based owner and former editor-in-chief of MobileBurn.com. You can follow him on Twitter as @MichaelOryl

Related Stories