Carrier IQ: What We Know So Far

10 Worst Android Apps

Smartphone monitoring software vendor Carrier IQ has released more details about how its software is used to track smartphone-related data. Furthermore, it has denied that it supplies any of that data to law enforcement agencies, including the FBI.

"Carrier IQ's data is not designed for law enforcement agencies and to our knowledge has never been used by law enforcement agencies. Carrier IQ [has] no rights to the data gathered and [has] not passed data to third parties," said Carrier IQ in a statement. "Should a law enforcement agency request data from us, we would refer them to the network operators. To date and to our knowledge we have received no such requests."

Carrier IQ's statement was issued after Michael Morisy of MuckRock news detailed a Freedom of Information Act request he'd made to the FBI on December 1, requesting "manuals, documents, or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ."

The FBI's response arrived December 7, with the bureau saying that "the material you requested is located in an investigative file which is exempt from disclosure" on the grounds that producing the information "could reasonably be expected to interfere with enforcement proceedings." As Morisy then said, the response could mean that the FBI uses data collected by Carrier IQ. Likewise, it could also mean that the bureau is investigating Carrier IQ itself. In light of Carrier IQ's statement, the latter seems to be the stronger possibility.

[ Carrier IQ-gate makes the mobile industry look like it has something to hide. Learn more about Carrier IQ: What Carriers, Device Makers Must Do Next. ]

Morisy had filed his Freedom of Information Act request after security researcher Trevor Eckhart in November began releasing detailed research into how he saw the Carrier IQ software operating. Given that the software hooked into the Android operating system at extremely deep levels, and had the potential to monitor individual keystrokes, encrypted Web pages, and GPS location, Eckhart asked Carrier IQ to fully detail what data it was collecting, and why.

In response, Carrier IQ initially sued Eckhart for alleged copyright violations involving its training materials. But after the Electronic Frontier Foundation intervened, it dropped the suit and issued an apology to Eckhart, who responded by releasing further research. At the same time, Carrier IQ executives began reaching out to media outlets, stating that the company only collects data that carriers tell it to collect.

But this open question--voiced not just by Eckhart but also other security researchers, and in the form of multiple class action lawsuits--remained: Exactly what was Carrier IQ's software doing, and why?

Carrier IQ's detailed response arrived Tuesday, in the form of a 19-page report, titled "Understanding Carrier IQ Technology," which includes responses to "critical allegations and questions," as well as a list of every potential datapoint that its software can capture. These datapoints include information relating to radio technologies, voice services, data transmission, application and battery performance, IP and IP services, as well as device stability and status.

10 Worst Android Apps

The report notably begins by thanking "Trevor Eckhart for sharing his findings with us through a working session that helped us to identify some of the issues highlighted in this report." Likewise, it thanked carriers for detailing their deployments of Carrier IQ's software on their handsets, as well as security researcher Dan Rosenberg, whose own, independent analysis of Carrier IQ's software found that it wasn't doing anything nefarious, although he did fault the company for not being more upfront about what its software was doing.

According to Carrier IQ's report, its software is designed to answer this question for carriers: "What is the network service quality consumers experience when they use a mobile phone on our network and how do we make it better? Put another way, what actually causes dropped calls, reception issues, and the like?" Accordingly, the company has built handset-based software that collects the data required to answer those questions, and routes the data to carriers. "This has been our mission since the formation of the company," said the report.

Furthermore, it said, with its software being deployed on millions of handsets, it's designed it to collect the minimum amount of information possible, not least because Carrier IQ then has to transmit and store it, which the company emphasized that it does using a "secure encrypted channel."

Carrier IQ also clarified that smartphone owners don't pay for the data transmitted by its handset software--IQ Agent--provided that the phone is operating on a network owned by a carrier that is a Carrier IQ customer. "In typical deployments, the IQ Agent uploads diagnostic data once per day, at a time when the device is not being used. This upload, which averages about 200 kilobytes, contains a summary of network and device performance since the last upload, typically 24 hours," said the report.

Carrier IQ responded to Eckhart's research, which found that the Carrier IQ software appeared to be storing sensitive data to a clear-text Android log file on his HTC handset, by saying that was due to an HTC-introduced bug. "We cannot comment on all handset manufacturer implementations of Android," according to the report. "Our investigation of Trevor Eckhart's video indicates that location, key presses, SMS, and other information appears in log files as a result of debug messages from pre-production handset manufacturer software. Specifically it appears that the handset manufacturer software's debug capabilities remained 'switched on' in devices sold to consumers."

Carrier IQ said that its software only uses its built-in API to collect data, rather than Android log files. Furthermore, it said it's working with its customers to help prevent these types of bugs from recurring. "Various parties in the industry, including security consultants such as Dan Rosenberg, have recommended that handset manufacturers switch off debug messages containing personal information to prevent them being written into log files. In addition, Carrier IQ is working with handset manufacturers and network operators to suggest changes to the certification process for new devices to prevent similar problems from occurring again," said the report.

Finally, during its investigation into how its software gets deployed by carriers, Carrier IQ said that it had discovered another bug, which could at times cause SMS messages to be embedded in the diagnostic information captured by its software and transferred to Carrier IQ. But it said such messages were not in human-readable form, and that after working with carriers, it had quickly eliminated the bug.

IT's spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques. It's time to break free. Download our Disaster Recovery Disaster supplement now. (Free registration required.)