News by Michael Oryl on Tuesday December 06, 2011.
|Sponsored links, if any, appear in green.|
According to yet another security researcher, the much-maligned Carrier IQ "snooping" software that is found in many smartphones is not evil, and is not guilty of many of the privacy crimes ascribed to it. Dan Rosenberg of application security company VSR claims to have extensively dissected the inner workings of the Carrier IQ software on a Samsung Epic Touch 4G for Sprint.
In short, Rosenberg finds that the application does not, and could not, record the bodies of SMS and email messages, the contents of web pages, or similarly personal information - in spite of earlier reports. Many informational items, such as location information and battery status, are indeed being sent, but are largely benign from Rosenberg's viewpoint.
Rosenberg reports that Carrier IQ can, indeed, log keystrokes, but that it can only do so in the dialer application. Since carriers already have access to the phone numbers being dialed from any given phone, he concludes that this is a non-event.
There are some items that are still cause for some alarm, though. While the contents of web pages are not being sent, the URLs accessed by smartphone users, including secure URLS, can be collected. Likewise, the names of applications that are running on the phone can be transmitted to the carrier via the Carrier IQ application, meaning that a carrier could potentially identify users making use of unauthorized tethering and hotspot applications.
Rosenberg sums up his findings in the following list, copied from his blog post:
Rosenberg goes on to suggest that what carriers and handset manufacturers need to do is be more transparent with what data is being collected, and provide users a means to opt-out. He also says that he and his company have never had a professional relationship with Carrier IQ, but that the company read his report and verified its accuracy.