Security experts say the Carrier IQ software, designed to stealthily transmit a wealth of
smartphone usage data to wireless carriers and vendors, is a serious enterprise security threat and
highlights the need for greater transparency about the data being collected.
Carrier IQ has heightened
scrutiny and awareness of what data is being collected and not being collected and how a user gets
notified.VP of marketing, Redwood City
Security researcher Trevor Eckhart recently discovered the Carrier
IQ software on a variety of Android mobile devices, and is capable of running on other
platforms including those from BlackBerry and Nokia. The software, used by ATT, Sprint and
T-Mobile, is intended to provide metrics to mobile carriers, but it is not always optional; in many
cases users don’t know it is on their devices.
Eckhart said he found Carrier IQ running in the background on his HTC device, and that it
appeared to be tracking nearly all interactions on his mobile phone, from monitoring key presses
and browsing history, to location data and SMS logs.
Experts warn that enterprises should educate device owners about the permissions they give to
certain mobile applications. An unknown number of mobile applications collect potentially sensitive
data because users are often too quick to give elevated mobile
app access privileges.
“Device owners are more likely to have problems from quickly installing applications that they
don’t know much about,” said Cameron Camp, a research systems manager at San Diego-based antivirus
vendor ESET LLC. “The problem here isn’t that Carrier IQ or the mobile operators are doing evil
things; they clearly haven’t been fully transparent and that’s what people are taking issue
with.”
The goal of the software, according to Carrier IQ, is to help mobile operators improve service
quality. In a statement, Carrier IQ said Eckhart’s research doesn’t show how the application
processes the data and what data is transmitted from the device. Carrier IQ said its application
captures only data specified by carriers according to their privacy standards and agreements with
users. Other researchers have validated Carrier IQ’s
claims. Researcher Dan Rosenberg reversed engineered the Carrier IQ software and found that it
does not record SMS messages or keystrokes.
Eckhart’s research shows the Carrier IQ software runs like a rootkit, stealthily sniffing data.
Rootkits, tools or
programs used to mask software or network intrusions, are typically used only by malicious hackers.
Experts said the discovery draws comparisons to the rootkit-based
digital rights management (DRM) system installed in 2005 by Sony BMG Music Entertainment Inc.
to prevent CD copying.
The discovery of the software has raised ire in the security community and among privacy
advocates, who say both Carrier IQ and mobile carriers are failing to provide transparency into the
data they collect. Author and security expert Bruce Schneier called
Carrier IQ
“spyware” and speculated that it is just one of multiple iterations of surveillance software in
use by mobile platform providers.
Romania-based antivirus vendor BitDefender has issued an Android application designed to detect
the Carrier IQ software. Most users presume their devices are free from spyware and Trojans,
said Catalin Cosoi, head of BitDefender’s Online Threats Lab. The Carrier IQ software fails the
transparency test, Cosoi said, and degrades trust.
“We have mobile analytics and applications for PCs to send statistics, but this should be only
anonymous data and the user has to be informed that this information gets sent to service
providers,” Cosoi said. “There needs to be some kind of opt-out.”
In some cases, poor coding practices result in an application that has too much access to device
processes. Last year, two researchers demonstrated a variety of mobile
application vulnerabilities and said the smartphone marketplaces have fostered a new wave of
less-skilled developers who build applications as quickly as possible to gain as much visibility
and profit as they can.
The kind of notifications given to users by mobile applications must be clear and should explain
why an application needs to connect to a specific device resource, said Ahmed Datoo, vice president
of marketing at Redwood City, Calif.-based mobile device management vendor Zenprise. Enterprises
face legal risks if they fail to establish mobile device security and privacy policies, Datoo
said.
Datoo said Zenprise uses a multiple tier approach in terms of notifying the user. For example, a
pop-up notification informs the user when location data is used by the Zenprise application. The
notification appears, even if the user initially gave permission for the application to tap into
the device’s global positioning system. The data is used by the Zenprise application to set
location-based security policies.
“Carrier IQ has heightened scrutiny and awareness of what data is being collected and not being
collected and how a user gets notified,” Datoo said. “If an enterprise develops mobile applications
it better make sure it communicates what it is collecting from the end user.”
Article source: http://searchsecurity.techtarget.com/news/2240112017/Carrier-IQ-spyware-controversy-highlights-mobile-app-access-missteps
View full post on National Cyber Security » Spyware/ Cyber Snooping