Mobile device and network diagnostic firm Carrier IQ early Tuesday issued a detailed report about what it is up to with your smartphone data. The company has been under fire ever since Trevor Eckhart discovered CIQ software working behind the scenes on a variety of smartphones. Eckhart originally accused CIQ of installing malware on people’s phones and monitoring users’ key presses, SMS messages, location data and web browsing history.
Even Google’s Executive Chairman Eric Schmidt recently referred to CIQ software as a keylogger. A keylogger is a type of malware that records your key presses in an attempt to discover sensitive information such as passwords.
While CIQ admits that it does collect some of the data detailed by Eckhart, the company says its software is not used for malicious purposes and is not a keylogger. Instead, any data collected by CIQ software is used to improve user experience and cellular network performance. Nevertheless, CIQ said it recently worked with Eckhart to identify some areas of concern with the company’s software.
What is Carrier IQ?
Carrier IQ is a mobile diagnostic company that uses software installed on more than 150 million mobile devices worldwide. CIQ software installed on mobile devices is called the IQ Agent and collects diagnostic information about your device such as battery performance, device stability, network coverage, voice call performance, and connectivity issues. CIQ says that while its software can collect a wide variety of information, it is up to the carriers to determine what kind of data is collected on any given device.
Here’s a look at some of the highlights from CIQ’s report (PDF).
SMS bug
It turns out the IQ Agent has been logging some users’ SMS messages in limited circumstances such as when you receive an SMS during a call or data session. The company blames this problem on a bug since CIQ software isn’t supposed to capture content from personal communications. Captured SMS messages were never in a human readable format, according to the company. CIQ also said the SMS bug did not cause the company’s software to record web or app content, MMS, email, photos, voice calls, or video.
Collects phone numbers, URLs
CIQ’s software can record phone numbers both dialed and received if a carrier asks the CIQ agent to do so. Phone numbers are recorded so that network operators can diagnose and maintain their networks to help prevent dropped calls and other problems, according to CIQ. The company also points out that carriers already have this information so CIQ isn’t collecting anything a carrier doesn’t already see.
Web addresses can also be recorded if a carrier wants to diagnose performance issues. Say, for example, Sprint smartphones were having problems connecting to Facebook.com from lower Manhattan. CIQ’s software could help Sprint diagnose this issue and improve the service, according to CIQ.
CIQ also stressed that its software can only capture URLs and not webpage content. This means information such as usernames and passwords would not be captured.
About that keylogging…
Based on Eckhart’s video, the CIQ agent on an HTC phone was logging key presses, SMS messages, location data, and web browsing history. But it turns out that, as one security researcher had said, Eckhart was merely seeing output from debugging software. CIQ says this was pre-release debugging software that should never have been activated on a consumer device in the first place.
Debugging software is designed to display output based on the actions a device or program is taking at any given time. In the case of Eckhart’s video this debugging output appeared in plain text log files built into the Android operating system. The problem is, according to CIQ, is that its software does not use these log files to record or obtain system information. CIQ says its software was not accessing the Android log file information and passing it on to the company or to carriers.
Nevertheless, having such detailed information in a plain text file is a security risk, the company admits. CIQ says it is working with handset manufacturers and carriers to prevent this type of breach from happening again.
Not removable by default
There are three ways Carrier IQ software can get onto your phone. These include two situations where the software is pre-installed on your phone and one where you can choose to install the IQ agent just as you would any other app. Not surprisingly, the user download option is the least popular option–probably because it gives you the power to delete the IQ agent.
The most popular way for carriers to pre-install the CIQ software is to use what the company calls the embedded IQ agent. When the IQ Agent is installed this way, the company claims users cannot delete it “through any method provided by Carrier IQ.” In other words, the embedded version of CIQ software is not designed to be removable by you.
Where does your data go?
CIQ says its data is stored on your handset in a “secure temporary location” in a format that cannot be read without “specifically designed tools.” This most likely means the information is stored in an encrypted file, although CIQ did not specify that.
Diagnostic information captured by the IQ agent is typically stored for up to 24 hours before being uploaded over an encrypted connection. The average upload for this data is 200 Kilobytes; this data transfer does not appear to count against your data plan usage and does not show up in any usage summaries for your account.
Once the data leaves your phone it ends up in one of two places: CIQ’s data center or your carrier’s data center. Some carriers choose not to host the diagnostic data on their own servers and instead pay CIQ to host the data for them.
Was this all for nothing?
CIQ’s software doesn’t appear to be the malicious software Eckhart originally believed it to be. However, if it wasn’t for Eckhart’s examination of CIQ software the SMS bug and the vulnerability related to debugging software may not have been discovered. It’s also valuable just from a privacy standpoint to know that CIQ software exists on some phones and what it does. Then at least you can make an educated choice about whether or not you want to use a device that has CIQ software installed on it.
View full post on National Cyber Security » Computer Hacking
