Carrier IQ’s MSIP: Spyware according to some

Smart phones and associated apps are coming under increased scrutiny from privacy groups. Still, software from Carrier IQ – Mobile Service Intelligence Platform (MSIP) – escaped their watchful eye. What’s more, the “who’s who” of telecom providers – except Verizon — have been using MSIP since 2006. That tidbit was also missed.

Then, Trevor Eckhart started poking around the Carrier IQ website and the innards of his Android smart phone.

Initial optimism

Eckhart was able to get a stock copy of the MSIP client:

“It has surveys users can fill out if they get a dropped call, browser ends unexpectedly, etc. It makes its presence known by putting a checkmark in the status bar. This could potentially be pretty useful information from a network administration standpoint, and is made clear to users it is running.”

The following slide is a screen shot of the stock MSIP client app. Note the encircled check box (courtesy of Trevor Eckhart):

Eckhart’s initial conclusion:

“Great! Less dropped calls, better network experience. It sounds good on the surface.”

Wait a minute

Remember I said the above slide was from the stock version of MSIP version. Well, Eckhart started checking out his HTC phone. What he found was nothing like what was described on the Carrier IQ website.

The MSIP client remains hidden, runs as “user root”, has access to all sorts of sensitive data, and can phone home. Eckhart’s website offers the following as proof:

If that sounds familiar, it should. According to Wikipedia:

“A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enables continued privileged access to a computer.”

The only debatable difference from the Wiki definition is whether MSIP is malicious or not. Eckhart describes why he likens MSIP to malware on his Android Security Test website, Part One and Part Two. In addition, Eckhart provides a YouTube video, further explaining his research.

Second source

I wouldn’t be worth much if I didn’t second source Eckhart’s claims. I knew that the Electronic Frontier Foundation (EFF) was involved, so I wandered over to their website. Peter Eckersley’s post Some Facts about Carrier IQ offered the following:

“This post will attempt to explain Carrier IQ’s architecture, and why apparently conflicting statements about it are in some instances simultaneously correct. The information in this post has been synthesized from sources including Trevor Eckhart, Ashkan Soltani, Dan Rosenberg, and Carrier IQ itself.”

Read what Eckersley has to say. It sheds significant light as suggested by the slide below (courtesy of EFF and Parker Higgins):

What does it mean?

To make sense of all this, I decided to ask the experts. William Francis for one, I never take an Android step without my fellow smart-phone investigator.

Kassner: William, what do you think about the Carrier IQ debacle?

Francis: I’m not really sure about the Carrier IQ thing. My gut says it encrypts data before packaging it and sending over the network to carriers. The YouTube video shows someone looking at debug logs locally. Debug-out messages shouldn’t be left in production released code, but it’s not uncommon.

My impression; the real issue with Carrier IQ falls on the carriers. Carrier IQ is designed to be able to collect a lot of information. But the carrier configures what information, and how much actually gets collected before shipping the phones.

Unless Carrier IQ is transmitting unencrypted data over the public cell network, I think the carriers should be answering any questions about privacy concerns. The carriers being the party who chose to include the app on the phone’s read-only memory and the party who ultimately decided what info will be collected and transmitted back to them.

Kassner: What would you do if the MSIP client was installed on your phone?

Francis: Good question. To my surprise, the Carrier IQ MSIP app is not there. So I don’t have a good answer. My gut tells me I’d wait for the carrier to do the right thing and update my device with a Carrier IQ-free or at least a more-transparent version of Carrier IQ in the mix.

I really believe Carrier IQ has been largely exaggerated as a threat. And, for your average phone user, the complications of removing it aren’t worth it.

Thanks, William.

On the surface, William’s hope that carriers do the “right thing” seems prophetic. Sprint is removing the app from phones under their control. One reason might be to avoid a lawsuit naming them along with Carrier IQ, Apple, Samsung, Motorola, ATT, and T-Mobile.

One more opinion

Next, I talked to the people at Lookout Mobile Security (you will see why in a bit). Alicia diVittorio, in charge of communications, responded:

Kassner: Why are telecom providers using Carrier IQ’s MSIP system?

diVittorio: Carrier IQ is diagnostic software that comes pre-installed on some mobile devices. Mobile network operators use information gathered on your location and call activity to improve network coverage and reduce instances of dropped calls.

We feel the tone of most commentary on the subject has improved from initial speculation of a ‘rootkit’ to rational evaluations of what personal data is collected, and when. One of the most informative examples of the latter was Peter Eckersley’s December 13th overview of the Carrier IQ architecture at EFF. (Note: diVittorio and I referenced the same EFF post.)

What’s the plan?

Well, I’m thinking the first step is to see if the dang thing is installed on our phones.

That’s why Lookout and diVittorio are here. They have an app for determining if the MSIP client is installed:

“It can be difficult for non-technical users to determine whether or not their handset is affected. We’ve developed the Carrier IQ Detector to aid in this process in an effort to keep mobile users fully informed about what their phone is doing.”

With Lookout Carrier IQ detector installed, you will see one of the following slides:

I had a few more questions for Alicia:

Kassner: Experts are saying detection is difficult to accomplish, what does the Lookout app do to determine if the Carrier IQ software is installed?

diVittorio: We built a repository all of all the different files that could be related to Carrier IQ, and used this in our Detector App.

Kassner: Developers are claiming they can disable Carrier IQ. Is that possible? If so, why doesn’t Lookout offer that capability?

diVittorio: Carrier IQ software is deeply integrated with handset firmware — you would have to root your phone in order to remove it. As you well know, side effects of rooting a device have the potential to put users at further risk of malware infection while making devices ineligible to receive firmware updates in the future.

Thanks, Alicia.

Remove MSIP client

Eckhart agrees with diVittorio:

“The only choice we have to ‘opt out’ of this data collection is to root our devices because every part of the multi-headed CIQ application is embedded into low-level, locked regions of the phones.”

William was not kidding. Removing the MSIP client is far from simple. For example, here’s one method I found:

• First, the phone needs to be rooted.
• Next, Logging Test App is installed to locate the files.
• Then, the Logging Test App is updated using Pro Key to unlock the removal process.
• Finally, the offending MSIP client software can be removed.

Final thoughts

For the most part, I’m going to let the dust settle on this. I do have a question though: If code, such as Carrier IQ’s MSIP is benign, why be so secretive?