Only now are some skeptical voices being raised that the case against Carrier IQ may be a rush to judgment without a real, or at least an adequate, basis in fact.
The company has been pilloried the length and breadth of the World Wide Web for the better part of a week, accused by a growing chorus of selling smartphone spyware in the form of a rootkit and keylogger to mobile carriers. The accusations and outrage hinge on a YouTube video posted by a 20-something systems administrator, Trevor Eckhart, purporting to show the smartphone program recording keystrokes and seeing SMS text messages. Yet Eckhart failed to use some basic tools that could have confirmed what he, and many others, think he saw.
Earlier this week, Sen. Al Franken (D.-Minn.), on the basis of Eckhart's video and on blog posts and news accounts also based on it, "demanded" answers from Carrier IQ about what the software actually sees and does.
The skeptics aren't getting much help from either Carrier IQ itself or the carriers using the software. The software vendor shot itself in the foot by slapping Eckhart with a cease-and-desist letter, which it later withdrew and for which it apologized after the Electronic Freedom Foundation took on Eckhart's case. Since then, the company has refused repeated requests to give any technically based explanation of how its software actually works, though this started to change Thursday, Dec. 1 (See: "Carrier IQ again asserts no user data logged or sent"). The two U.S. carriers using the software, AT&T and Sprint, simply repeat that they only collect device and network data, such as dropped calls or failed SMS message, that lets them improve their smartphone service.
Despite the presence of online forums, hacking sites, social networking and the World Wide Web, apparently no one has attempted anything like a "peer review" of Eckhart's conclusions. The video and posts purport to show that Carrier IQ's Android client software is logging a range of user activities, including individual touches to the phone's screen, and then sending them to a server for analysis. Eckhart has not responded to two Network World requests, via email, to talk about his analysis.
Eckhart's 17-minute YouTube video is the basis for allegations that Carrier IQ is spyware, and that -- whatever its stated purpose is -- its real goal (and the goal of the carriers using it) is to watch, capture and exploit detailed private information about smartphone users. In the tidal wave of news stories, blog posts and Web comments, Eckhart's video is accepted unquestioningly as "proof" that Carrier IQ, in the hands of carriers, is already carrying out a surreptitious, pervasive surveillance campaign or has the capacity to do so.
"The interpretation of the video is inaccurate," says Dan Rosenberg, vulnerability research practice lead for Virtual Security Research, a Boston-based consultancy. For the firm, Rosenberg specializes in application and network penetration testing and code review, sometimes with reverse engineering code. He also does security research in these areas, especially on the Linux kernel and the Android operating system.
He first blogged about his reservations in a brief post at Pastebin.com. He went into more detail with Network World this week.
"The video depicts that Carrier IQ does react to events like typing a key," Rosenberg says. "Trevor jumped to the conclusion that this means they are recording all your keystrokes and sending them to the carrier. That would be a major violation of privacy. But that's not what's happening based on my analysis."
Rosenberg had known of Carrier IQ, and in early November, before Eckhart released his conclusions, began to reverse engineer it. "It's installed by default on smartphones, and no one has the ability to remove it, and it does collect data and send it to carriers," he says. "There's a potential for abuse, and I wanted to analyze it and understand it."
He copied the Carrier IQ software from several HTC and Samsung Android phones and loaded it into a disassembler to expose and read the machine instructions. What he found was a large, powerful program with a lot of capabilities. Rosenberg says he did not make an exhaustive study of all the program's features. But after Eckhart's video was posted, Rosenberg refocused his attention on the alleged keylogging and transmitting features.
Eckhart's video actually shows debugging output, Rosenberg says, which is intended to let developers go through a program line by line to iron out problems. As such, displayed in a debugging buffer, these details are not stored on disk or collected as data, he says.
"They are not actually storing keystroke data at any point, anywhere," Rosenberg says. "Much less sending the data back to carriers."
Temporarily putting this information in a debugging buffer is a questionable practice, he says. "They're printing debugging statements that show keystroke data," Rosenberg says. "That's not an immediate threat, but it's sort of like why you don't want to write down your password: so you don't have sensitive data lying around somewhere. But that [practice] is not like logging data and sending it to carriers."
Rosenberg says he has talked with Eckhart several times, and specifically about Eckhart's interpretation of what the debugging buffer revealed. Rosenberg declined to go into details about those conversations, but did say, "I've debated this with him. Originally, he disagreed with me. But nothing on our private conversation provided me with evidence to the contrary."
Rosenberg's hands-on experience with Carrier IQ seems to be the most detailed yet on public view. And it lines up with reservations or criticisms levied against Eckhart's interpretation of Carrier IQ as a keylogger that's sending SMS message contents and other information back to the mobile carriers.
John Graham-Cumming is vice president of engineering for software vendor Causata, as well as a programmer, blogger and author with a doctorate in computer security. In a recent blog post, he noted the extravagant allegations made against Carrier IQ on the basis of Eckhart's video, such as this one by Geek.com's Russell Holly: "This video has demonstrated a truly significant volume of information is being recorded. Passwords over HTTPS, the contents of your text messages, and plenty more are recorded and sent to the customers of Carrier IQ.
"That would be worrying if true, but if you watch the 'security researcher's' video you'll find that nowhere does he make the claim that [the] content that the application sees is leaving the device," Graham-Cumming wrote. "And from the video he doesn't appear to try. At no point does he enter a debugger and look inside the CarrierIQ [smartphone] application, and at no point does he run a network sniffer and look at what data is being transmitted to [the server component of] CarrierIQ.
"And I don't understand why," he continued. "It would be a huge story if millions of smartphones worldwide were secretly sending the content of text messages to a US-based company. But that's not the story here because the 'security researcher' does not appear to have tried to find out."
We asked Graham-Cumming via email if this was a complex process. "It would not be complex for a competent Android programmer to use a debugger to examine the CIQ application and/or sniff its network traffic to see what it is doing," he says via email.
Based on what he saw in Eckhart's video, Graham-Cumming says Carrier IQ's software apparently can see at least some user activities. "But until I understand what they are doing with the data and what leaves my phone I'm not going to panic," he says. "For example, my antivirus sees everything on my machine, all my mail, all my files, all my web browsing, but I'm ok [with that] because I trust what it does with the data."
"That's a good analogy," agrees Rosenberg. "It's absolutely true that antivirus has just as broad access to your system."
Yet there is a critical difference, he says. "What makes [Carrier IQ] different is that this program was not installed by the users, and they weren't given the chance to make a trust decision," Rosenberg says. "Presumably, your antivirus program is software that you've installed or have a trust relationship with the vendor."
"There's one good thing to come out of this," Rosenberg says. "A greater awareness that this software exists. We need more awareness of what it can do and the ability to opt out of it."
Apple seems to have taken a different approach than Android vendors HTC and Samsung with its integration of Carrier IQ. Apple this week announced that it had discontinued Carrier IQ support with the release of iOS 5 some weeks ago. Grant Paul, a well-known iOS programmer, analyzed the program in a blog post, and noted what appear to be several differences from the Android implementation, at least on the HTC handset used by Eckhart.
For one thing, the user can disable Carrier IQ in earlier iOS versions by turning off "Diagnostics and Usage" in "Settings." For another, though the program "does access a reasonable amount of information," that information seems limited to telephony information, such as your phone number, carrier and country, active phone numbers (though Paul didn't see evidence that the dialed number was visible) and the user's location if the user enabled the iOS Location Services. He added: "Be sure to note that I have not confirmed which, if any, of this data is sent remotely."
"Importantly, it does not appear the [Carrier IQ] daemon has any access or communication with the UI layer, where text entry is done," Paul concluded. "I am reasonably sure it has no access to typed text, web history, passwords, browsing history, or text messages, and as such is not sending any of this data remotely."
What's unclear is whether this "no access" to the UI layer is distinctive to the iOS implementation of Carrier IQ or, as the vendor seems to be saying, a characteristic of the application itself regardless of the operating system on which it runs.
In what seems to be the first public interview granted by Carrier IQ executives, to John Paczkowski of AllThingsD, the software vendor finally provided a bit more detail on what the program does and doesn't do.
"While CIQ might 'listen' to a smartphone's keyboard, it's listening for very specific information," Paczkowski writes, summarizing the claims. "Company executives insist it doesn't log or understand keystrokes. It's simply looking for numeric sequences that trigger a diagnostic cue within the software. If it hears that cue, it transmits diagnostics to the carrier."
Paczkowski notes that CIQ nevertheless has the ability to capture a wide variety of user data. So, he asks, who decides what data is collected?
"The carriers. They decide what's to be collected and how long it's stored -- typically about 30 days. And according to Carrier IQ, the data is in their control the whole time. 'It's the operator that determines what data is collected,' says Carrier IQ CEO Larry Lenhart. 'They make that decision based on their privacy standards and their agreement with their users, and we implement it.'"
In a statement issued Dec. 1, Carrier IQ repeated its assertions that the software does not log keystrokes. This time it added a comment by security expert Rebecca Bace, co-founder of Infidel, an information security consultancy: ""Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user's content are erroneous."
No other details were provided. As of this posting, Bace had not replied to an email request for more information.
John Cox covers wireless networking and mobile computing for Network World. Twitter: http://twitter.com/johnwcoxnww Email: firstname.lastname@example.org Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed
Read more about anti-malware in Network World's Anti-malware section.