English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

What to Do About Carrier IQ

Tim
Kaspersky Lab Expert
Posted December 07, 16:41  GMT
Tags: Google, Apple, HTC
0.4
 

There’s been a lot of talk about a piece of software installed on many mobile devices called Carrier IQ. The intended purpose of the software according to the manufacturer is to collect metrics to improve many functions of the device on which it’s installed. The uproar has been that this software has access to so much private user data.

According to research by Trevor Eckhart, Carrier IQ has access to basically everything you do on your device, from keystroke logging, to usernames and passwords sent over SSL encrypted connections (albeit before they are encrypted). And while new research has shown that it appears that none of this personal data actually is being harvested, the potential for misuse is very high.

I understand the anger of consumers. I don’t want anyone reading my text messages, or viewing what I search for, reading my email. But what about corporations? What about the possible intellectual property present on these devices?

It is possible that this software can be attacked. I’ve never seen an application that didn’t have a flaw. Isn’t it possible that this software can be compromised, and the data to which it has access could be exfiltrated?

I think the most important point here is that those people that are affected have almost no recourse. The software simply can’t be removed by the average user. Even if a person ‘roots’ or ‘jailbreaks’ their phone to remove the software, there have been reports that this breaks functionality , or even ‘softbricks’ or temporarily renders the phone inoperable. Some other users are flashing custom ROM’s to their systems. These are customized full replacements of the vendor installed operating system. In some cases, users are still finding Carrier IQ files present after doing so.

We do not recommend rooting your device or installing custom ROM’s for most users. This entirely defeats the security model of your device. Furthermore, custom ROM’s can be so complex, and often do not undergo the scrutiny of the security community. Is this more dangerous than having an administrator level application that can record all your activities? That’s a difficult question to answer.

To summarize, this is a logging application with administrator access hiding on many consumer devices. Even though people pay a yearly, locked-in contract, the service providers felt no responsibility to notify them that this software was present. Not only does this software have an incredible amount of access to personal data, you can't easily uninstall it. Even if you figure out how to remove it, you may break your device. I have no problem with improving service. I hate dropped calls too. What I do have a problem with is service providers who are intentionally uninformative about what they are doing with your data on a device you've paid for, and then not allowing any type of removal or opt-out. Even though this is probably not illegal, it is certainly unethical.

So what can you do about it? While it is possible to detect the presence of Carrier IQ on a device, it is not currently possible to easily remove it. It would seem that the correct thing to do here is talk to your service provider. If your service provider has installed Carrier IQ on your device and you don’t want it there, we urge you to contact their customer service departments and express your outrage.


2 comments

Oldest first
Threaded view
 

Bildos

2011 Dec 07, 23:01
0
 

KMS

Did KMS detect Carrier IQ as thread ?

Reply    

Teodor

2011 Dec 08, 08:32
0
 

different angle

Here's a different angle to the story: http://www.networkworld.com/news/2011/120711-carrier-iq-253845.html?page=1

I don't know how many researchers did rev-eng on the software, but if Rosenberg findings are correct, I see a less severe case for privacy breach than initially hyped.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Related Links

Analysis

Blog