Advertisement

Carrier IQ disputes spying accusations; security researchers agree

Share

This article was originally on a blog post platform and may be missing photos, graphics or links. See About archive blog posts.

Carrier IQ, the beleagured online metrics company that has been accused of installing spy software on millions of smartphones, has broken its silence to say the critics have it wrong.

‘While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video,’ the company said in a statement released late Thursday.

Advertisement

The firm’s defense came as as politicians and privacy organizations continued to question the little-known Mountain View, Calif., company, which designs communications analysis software used by some of the largest U.S. wireless carriers, including AT&T, Sprint and T-Mobile. The carriers say data collected on their behalf by Carrier IQ helps them improve their service.

Last week, 25-year-old system administrator named Trevor Eckhart released a video (above) purporting to show Carrier IQ’s app recording smartphone users’ every keypress, and implying that the company was therefore able to intercept users’ private communications.

But security researchers have disagreed with conclusions drawn from Eckhart’s analysis.

‘It’s not true,’ said Dan Rosenberg, a senior consultant at Virtual Security Research, who said the video shows only diagnostic information and at no point provides evidence the data is stored or sent back to Carrier IQ.

‘I’ve reverse engineered the software myself at a fairly good level of detail,’ Rosenberg said. ‘They’re not recording keystroke information, they’re using keystroke events as part of the application.’

The difference is subtle but important. To perform commands, applications need to know which buttons a user has pushed: Your email app needs to know when you tap the reply button, and your phone app needs to know which numbers you press in order to dial. Applications therefore pay attention to which buttons a user is pressing.

But listening for a button press does not mean an application is therefore sending a record of those button presses back to the company, researchers said.

Advertisement

System-related apps like Carrier IQ often allow users or phone engineers to tap a series of keys in order to bring up administrative options or to display information on the phone’s performance. In order to show that data, apps needs to know the correct code was tapped in -- by identifying specific key presses, as it is shown doing in the video.

But Rosenberg said his look at the Carrier IQ program revealed ‘a complete absence of code’ that would indicate key presses were being tracked and recorded or sent over the Internet by the phone.

Instead, the readouts on Eckhart’s video that occur when he presses keys are ‘debugging messages’ -- informational feedback meant to help smartphone programmers verify that their applications are working correctly. In this case, Carrier IQ’s developers appear to have set up the program to display a diagnostic message when a key is pressed or when a text message is sent.

‘It’s just spitting debug messages to the internal Android log service,’ sad Jon Oberheide, a co-founder of Duo Security. ‘It appears that Carrier IQ is indeed collecting some metrics, but I have not seen any evidence that keystrokes, SMS messages or Web browsing session content are being transferred off the device.’

Carriers like AT&T, T-Mobile and Sprint have long disclosed that they collect and store information about users’ locations, phone records and text messages. But what appeared to unnerve consumers and privacy observers was the possibility that the companies had gone a step further and were monitoring nearly every action a user performed on the phone.

That claim set off alarms among phone users, privacy advocates and now Sen. Al Franken (D-Minn.), who demanded Thursday that Carrier IQ explain its software and the types of data it collected.

Advertisement

Though Carrier IQ denied it collected message text and other personal communications, it did note that it gathers ‘intelligence on the performance of mobile devices’ and sends it to wireless carriers. The company said little more about the specific types of data it does collect, whether users can opt out of the collection or how long the company keeps collected data.

RELATED:

AT&T says attempted hacking was unsuccessful

Facebook settles privacy complaint with Federal Trade Commission

RIM Mobile Fusion to add BlackBerry security tools to Android, iOS

-- David Sarno

Video: Trevor Eckhart’s video about Carrier IQ.

Advertisement
Advertisement