Simply Security - News, Views, and Opinions from Trend Micro

Posted on January 3rd, 2012 in Current News, Data Privacy by Simply Security | Be the first to comment | Tags: Privacy

A special brand of data collection software could be secretly installed on millions of smartphones currently in operation.

Information security researcher Trevor Eckhart recently caught the attention of millions of smartphone owners by suggesting that several U.S. mobile device manufacturers have secretly partnered with a software firm specializing in data logging.

In his latest report for Android Security Test, Eckhart identified the alleged silent partner as Carrier IQ, a company that has, by its own accounts, "revolutionized the way mobile operators and device vendors gather and manage information from end users." In its original format, Carrier IQ software is used to identify any service issues through data logging and user feedback.
However, once modified by third parties, the tools can be used for less noble purposes, according to Eckhart.

First and foremost, the software can be completely hidden on a device, eliminating user awareness and consent in the process. Also, the exact scope of data collection remains unknown. According to Eckhart, Carrier IQ's metrics measurement processes may include everything from keylogging to geographic-location tracking. There are also questions as to what actions "trigger" the information gathering and how frequently they are utilized.

According to Eckhart's research, data is logged for HTC smartphones, for example, when a key is stroked, a text message is received, when physical locations change and when applications are opened.

Realizing the potential firestorm on the horizon, Carrier IQ executives were quick to respond to Eckhart's claims. The company first filed a cease and desist request against the data security researcher, taking objection to his assertion that Carrier IQ applications were tantamount to rootkit software. However, that motion was later retracted after attorneys from the Electronic Frontier Foundation came to Eckhart's defense, according to Wired.

Late last week, the company finally came forward to reveal its side of the story. According to Wired, Carrier IQ acknowledged that approximately 150 million phones have its data tracking software secretly installed. Although they refuted Eckhart's claims of logging every keystroke, Carrier IQ officials explained that their proprietary tools could be used to log web usage, determine when and were calls and text messages are sent, monitor battery life, track application deployment and analyze connectivity issues.

"We do recognize the power and value of this data," said Carrier IQ chief marketing officer Andrew Coward, according to Wired. "We're very aware that this information is sensitive. It's a treasure trove."

Following the release of these additional revelations, the company has taken several hits as the "new poster child for (alleged) smartphone privacy violations," according to Ars Technica. Carrier IQ has now been hit with two separate class-action lawsuits from consumers worried about the potential monitoring of electronic activities. Senator Al Franken also wrote to Carrier IQ executives demanding further explanation of company practices.

"I am very concerned by recent reports that your company's software – pre-installed on smartphones used by millions of Americans – is logging and may be transmitting extraordinarily sensitive information from consumers' phones," the senator explained. "It also appears that the average user would have no way to know that this software is running – and that when that user finds out, he or she will have no reasonable means to remove or stop it."

Mobile carriers and device manufacturers have been scrambling to distance themselves from the controversy, particularly after HTC and Samsung were named in the class-action lawsuits.

Sprint was first to come forward regarding its use of Carrier IQ software. According to BGR, the telecommunications giant contended that the utilities were primarily used as a means of diagnosing and improving network performance, but the contents of user messages, photos, videos and other information are not viewed. The company was also quick to note that none of the data collected was sold to third-party firms or sent outside of Sprint for any reason.

RIM officials refuted any connection with data privacy allegations, explaining that the company does not pre-install Carrier IQ on any of its BlackBerry devices nor does it authorize its carrier partners to do so prior to distribution. According to BGR, Nokia similarly dismissed rumors, bluntly stating that "Carrier IQ does not ship products for any Nokia devices, so these reports are wrong."

Apple detailed its involvement with Carrier IQ in a statement released to AllThingsD.

"We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update," company officials reported. "With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information."

By comparison, Google officials have not addressed allegations or explained the relationship between Carrier IQ and Android software, according to ZDNet. Windows Phone has been able to steer clear of controversy, however, as it was never named in the original Carrier IQ rootkit reports.

Despite the wave of both legal and consumer scrutiny endured by Carrier IQ, several data security experts have come to the company's defense. Researcher Dan Rosenberg has identified a potential loophole in Eckhart's original keylogging accusations.

"It's not true," Rosenberg told the Los Angeles Times. "I've reverse engineered the software myself at a fairly good level of detail. They're not recording keystroke information, they're using keystroke events as part of the application.

Many applications, including email, rely on this mechanism to execute commands, according to Rosenberg. However, detecting a button press does not automatically mean that the application is sending data to be stored by mobile device manufacturers and carriers. Security expert Jon Oberheide corroborated these assertions, according to the Times, saying that there was nothing in his research to suggest keystrokes, Internet browsing sessions or text messages were being transferred off of the device.

Whatever the ultimate resolution, this saga is likely far from over. In fact, the controversy has now taken on international significance with European regulators launching a formal investigation. According to Computerworld, the Bavarian State Office for Data Protection has addressed a letter to Apple regarding its partnership with Carrier IQ. The U.K. Information Commissioner's Office and BEUC – the European Consumers' Organization – are also reportedly considering action.

Data Security News from SimplySecurity.com by Trend Micro