Security experts say the Carrier IQ software, designed to stealthily transmit a wealth of smartphone usage data to wireless carriers and vendors, is a serious enterprise security threat and highlights the need for greater transparency about the data being collected.
Carrier IQ has heightened scrutiny and awareness of what data is being collected and not being collected and how a user gets notified.
VP of marketing, Redwood City
Security researcher Trevor Eckhart recently discovered the Carrier IQ software on a variety of Android mobile devices, and is capable of running on other platforms including those from BlackBerry and Nokia. The software, used by AT&T, Sprint and T-Mobile, is intended to provide metrics to mobile carriers, but it is not always optional; in many cases users don’t know it is on their devices.
Eckhart said he found Carrier IQ running in the background on his HTC device, and that it appeared to be tracking nearly all interactions on his mobile phone, from monitoring key presses and browsing history, to location data and SMS logs.
Experts warn that enterprises should educate device owners about the permissions they give to certain mobile applications. An unknown number of mobile applications collect potentially sensitive data because users are often too quick to give elevated mobile app access privileges.
“Device owners are more likely to have problems from quickly installing applications that they don’t know much about,” said Cameron Camp, a research systems manager at San Diego-based antivirus vendor ESET LLC. “The problem here isn’t that Carrier IQ or the mobile operators are doing evil things; they clearly haven’t been fully transparent and that’s what people are taking issue with.”
The goal of the software, according to Carrier IQ, is to help mobile operators improve service quality. In a statement, Carrier IQ said Eckhart's research doesn’t show how the application processes the data and what data is transmitted from the device. Carrier IQ said its application captures only data specified by carriers according to their privacy standards and agreements with users. Other researchers have validated Carrier IQ's claims. Researcher Dan Rosenberg reversed engineered the Carrier IQ software and found that it does not record SMS messages or keystrokes.
Eckhart's research shows the Carrier IQ software runs like a rootkit, stealthily sniffing data. Rootkits, tools or programs used to mask software or network intrusions, are typically used only by malicious hackers. Experts said the discovery draws comparisons to the rootkit-based digital rights management (DRM) system installed in 2005 by Sony BMG Music Entertainment Inc. to prevent CD copying.
The discovery of the software has raised ire in the security community and among privacy advocates, who say both Carrier IQ and mobile carriers are failing to provide transparency into the data they collect. Author and security expert Bruce Schneier called Carrier IQ "spyware" and speculated that it is just one of multiple iterations of surveillance software in use by mobile platform providers.
Romania-based antivirus vendor BitDefender has issued an Android application designed to detect the Carrier IQ software. Most users presume their devices are free from spyware and Trojans, said Catalin Cosoi, head of BitDefender’s Online Threats Lab. The Carrier IQ software fails the transparency test, Cosoi said, and degrades trust.
“We have mobile analytics and applications for PCs to send statistics, but this should be only anonymous data and the user has to be informed that this information gets sent to service providers,” Cosoi said. “There needs to be some kind of opt-out.”
In some cases, poor coding practices result in an application that has too much access to device processes. Last year, two researchers demonstrated a variety of mobile application vulnerabilities and said the smartphone marketplaces have fostered a new wave of less-skilled developers who build applications as quickly as possible to gain as much visibility and profit as they can.
The kind of notifications given to users by mobile applications must be clear and should explain why an application needs to connect to a specific device resource, said Ahmed Datoo, vice president of marketing at Redwood City, Calif.-based mobile device management vendor Zenprise. Enterprises face legal risks if they fail to establish mobile device security and privacy policies, Datoo said.
Datoo said Zenprise uses a multiple tier approach in terms of notifying the user. For example, a pop-up notification informs the user when location data is used by the Zenprise application. The notification appears, even if the user initially gave permission for the application to tap into the device’s global positioning system. The data is used by the Zenprise application to set location-based security policies.
“Carrier IQ has heightened scrutiny and awareness of what data is being collected and not being collected and how a user gets notified,” Datoo said. “If an enterprise develops mobile applications it better make sure it communicates what it is collecting from the end user.”