Mobile security and privacy has been a topic of considerable discussion recently. Discoveries such as the Carrier IQ software on mobile devices have called into question just how much security and privacy exists in the mobile device ecosystem. As an extension of that, what level of security and privacy can enterprises expect from mobile devices if software like Carrier IQ may be transmitting sensitive organizational data without the enterprise's knowledge or consent?
If the software is installed on millions of devices, attackers would be eager to find flaws and develop exploits because they could potentially gain access to many different devices at once.
With those issues in mind, in this tip we'll examine the Carrier IQ software, the risks it poses to enterprises, and potential methods enterprises can use to analyze the security and privacy of applications installed on their mobile devices.
Carrier IQ software
Let's start by examining the intended purpose of the software in question. Last year security researcher Trevor Eckhart discovered the Carrier IQ software on a variety of Android mobile devices, and found it was capable of running on other platforms, including those from BlackBerry and Nokia. The software, used by AT&T, Sprint and T-Mobile, was said to provide metrics to mobile carriers, but in many cases users did not know it was on their devices.
Carrier IQ specified the functionality of its software in a press release: “While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools.” Security researcher Dan Rosenberg of Virtual Security Research verified that the software does not collect “keystrokes, SMS bodies, email bodies, and other data of this nature,” despite some early claims to the contrary by various researchers. The Carrier IQ software is installed by default by the mobile carrier or handset manufacturer for affected devices, and the data is transmitted back to Carrier IQ over an encrypted connection to a location configured in a profile on the mobile device. The data is collected regardless of the network connection. Carrier IQ specifies that the data is collected exclusively for the customer, but the customer in this case is the mobile carrier or handset manufacturer, not the consumer or enterprise customer, so it's certainly understandable that enterprises would question where exactly their corporate data is going.
Remember that much of the information collected by the Carrier IQ software is already being logged locally on the phone by native applications or is being collected by the wireless carrier. Some of the data, such as potentially logging URLs, is already collected for network performance reasons by Web proxies. While it is not necessarily good for privacy that Carrier IQ is aggregating all of this data, the more concerning aspect is that the device is sending data to external parties.
Enterprise mobile security: Information security risks
The Carrier IQ software poses similar information security risks to enterprises as other mobile applications, but with the widespread deployment of the software and the data collected, there is undoubtedly an increased concern. One potential risk is that the software itself has vulnerabilities that could be exploited, potentially affecting a large number of devices. It makes sense: If the software is installed on millions of devices, attackers would be eager to find flaws and develop exploits because they could potentially gain access to many different devices at once. The exploits, in theory, could steal the collected data, change the configuration file to send the data to an attacker controlled server, or install malicious software.
To temper the concern to some degree, the data collected by the Carrier IQ software is invasive, but not as invasive as the data collected by other devices. For example, iPhones had a database tracking location that was disabled once it was publicized, or how the iPhone takes screenshots of your most recent action for aesthetic purposes. Noted mobile device forensics expert Jonathan Zdziarski also posted two steps that can be taken on jailbroken iPhones to disable this functionality. There is a more general concern that consumers and enterprises need to trust handset manufactures and carriers to resist installing malicious software by default on mobile devices.
Security and privacy analysis of applications installed
If enterprises are sufficiently concerned about security and privacy on mobile devices, in the short term there may be little that can be done to remove Carrier IQ and the like from mobile handsets, but there are several steps that can provide additional insight into mobile device data transmissions. Enterprises could use some of the same tools used for forensics to analyze the device, and then additionally capture unencrypted network traffic to understand what data is being transmitted. An enterprise can search for unencrypted sensitive data on a device or peruse through oddly named files on the device hunting for unexpected data. For example, an enterprise can take an image of a device, install an application under evaluation, and then take an image after the install to determine exactly what was changed when the application was installed. Afterwards, the changes can be further investigated. In addition to the standard functionality testing, a thorough investigation of a new device includes analyzing the file system changes to identify data collection and storage.
Similar arrangements can be put into place for network traffic to determine if any unknown data is being sent from the device. Capturing the data directly on the device is unlikely because it would require full access to a mobile device, which many enterprises might not have for all of their devices. An enterprise can use routing tricks or an open wireless network to man-in-the-middle connections in order to capture unencrypted data and IP flow information. Once an enterprise can monitor network connections, it can capture an hour or more of data when the phone is idle or when a certain application is in use. It can then analyze the data to see if any of the data is unencrypted, what data is sent, and where it is sent. For example, if a device or application is not being actively used, but it is still sending data, an enterprise should closely analyze what is being sent. The network connections might just be checking email, Facebook, Twitter or performing some other expected function.
Security lesson for the mobile ecosystem
Will this be the last mobile software or action the wireless carriers or handset manufactures take that invades the privacy of its users or exposes users to attacks? Unlikely. Hopefully, the mobile ecosystem learns some lessons from the Carrier IQ software incident on how to better handle security and privacy. Unfortunately many of these same discoveries have been reported or are present on other pieces of software on mobile devices and computers. One of the key communications that could have prevented the uproar over the Carrier IQ software could be clear and transparent communications from carriers and handset manufactures about the software installed by default on mobile devices, what data is collected, and how it is used.
Increased transparency concerning the software installed by default on mobile devices helps consumers understand the data collected from their usage and the potential security risks on their mobile devices. Increased transparency also helps with customer relationships and ensures consumers can trust their carriers and handset manufactures. Let's hope we see more of it in the future.
About the author:
Nick Lewis, CISSP, is an information security architect at Saint Louis University. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and previously at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.