- A TechNote on Wireless and Mobility
- Lisa Phifer, President
- Core Competence, Inc.
Independent security researcher Trevor Eckhart kicked a hornet's nest last week when he posted a YouTube video demonstrating the monitoring activity of a controversial program from a company called Carrier IQ on his EVO Android phone.
Eckhart's clip illustrated how the company's "experience insight" program, shipped on Android and Apple iOS devices sold by several carriers, can surreptitiously track all mobile user activity - even keystrokes - without user knowledge or permission.
CIQ denies Eckhart's claims, and the full extent of its program's operation and use continues to unfold. But this incident should be a wake-up call to every mobile user and employer: does any of us really know or control what's running on our smartphones and tablets?
Every Breath You Take...
It's no secret that carriers track mobile location and voice, text and data use; that's how they deliver network services and bill subscribers. What Eckhart questioned is whether carriers are also tracking tapped keys, text and email messages and other information that most subscribers probably consider none of the carrier's business. He found CIQ software receiving events that carry such detail, even on a stock (un-rooted, unmodified) phone in airplane mode, with no 3G connectivity or service synchronization. Furthermore, CIQ does not appear as an installed application, provide a privacy policy or ask permission to report "experience insight." In fact, users who object may have little recourse. CIQ is not easily uninstalled; on some phones, it cannot be disabled.
Every Move You Make...
When Eckhart first published his report CIQ filed a cease-and-desist order, which it retracted under pressure from the Electronic Frontier Foundation (EFF). The company disputes Eckhart's characterization of CIQ as a rootkit and claims not to record keystrokes or content. According to the firm's statement, CIQ "makes your phone work better by identifying dropped calls and poor service, identifies problems that impede a phone's battery life, makes customer service quicker, more accurate, and more efficient, and helps [to] quickly identify trending problems."
I'll Be Watching You?
Eckhart's video clearly shows numbers entered on the dial keypad, SMS content, location, and search strings conveyed to CIQ. But the video can't show us what CIQ does with that information. Since we can't see metric profiles sent to the mobile network operators, we can't know which data are ignored, recorded or relayed.
This brings us to the heart of the issue: lack of transparency and control, for both end users and their employers. Fuss over Eckhart's report sent handset manufacturers and wireless carriers scrambling, anxious to offer reassurances and clarify their use of "experience insight" data. As of this writing, AT&T, Sprint, T-Mobile, HTC, and Samsung reportedly have issued statements describing their use of CIQ. Verizon Wireless, RIM, and Nokia have reportedly denied using CIQ. Another researcher reported finding CIQ installed on iOS3, iOS4 and iOS5 devices.
Instructions are circulating for disabling CIQ. However, caution should always be exercised when installing apps or changes from unverified sources, especially if rooting/jail-breaking is involved.
The good news is that we know more today than we did two weeks ago about what our smartphones and tablets can monitor and what our carriers claim to be tracking. The bad news is that we still have little insight into what software arrives on mobile devices at the time of purchase or via updates.
Oh, Can't You See You Belong to Me?
Carriers might argue that end users don't have the expertise to understand what's running on their handsets. And manufacturers may maintain that they only provide tools for data collection; it's up to the carrier to decide whether and how to use them.
But these arguments don't absolve manufacturers and carriers of their obligation to disclose how they collect and use personal information and potentially sensitive interactions. If the CIQ incident shines a bright light on industry practices, prompting more prominent disclosure and effective "opt out" mechanisms, all the better.
However, there's a broader lesson here for employers wrestling with smartphone and tablet support and security. While mobile device and application management systems can help IT regain visibility over software and processes running on these devices, subscribers are still beholden to manufacturers and carriers for creating and pushing firmware and OS updates.
The mobile world needs the transparency and control already present in the server and laptop world. There should be an easy way for employers to determine whether software like CIQ is present in carrier-supplied builds. Where tracking occurs, IT should be able to verify exactly what is collected and transmitted, to whom, when and how. Accomplishing this disclosure shouldn't take running a debugger or triggering a legal firestorm.
(Ed. Note - By now you surely have that song by Sting and The Police in your head. Here's a link.)
Eckhart's clip illustrated how the company's "experience insight" program, shipped on Android and Apple iOS devices sold by several carriers, can surreptitiously track all mobile user activity - even keystrokes - without user knowledge or permission.
CIQ denies Eckhart's claims, and the full extent of its program's operation and use continues to unfold. But this incident should be a wake-up call to every mobile user and employer: does any of us really know or control what's running on our smartphones and tablets?
Every Breath You Take...
It's no secret that carriers track mobile location and voice, text and data use; that's how they deliver network services and bill subscribers. What Eckhart questioned is whether carriers are also tracking tapped keys, text and email messages and other information that most subscribers probably consider none of the carrier's business. He found CIQ software receiving events that carry such detail, even on a stock (un-rooted, unmodified) phone in airplane mode, with no 3G connectivity or service synchronization. Furthermore, CIQ does not appear as an installed application, provide a privacy policy or ask permission to report "experience insight." In fact, users who object may have little recourse. CIQ is not easily uninstalled; on some phones, it cannot be disabled.Every Move You Make...
When Eckhart first published his report CIQ filed a cease-and-desist order, which it retracted under pressure from the Electronic Frontier Foundation (EFF). The company disputes Eckhart's characterization of CIQ as a rootkit and claims not to record keystrokes or content. According to the firm's statement, CIQ "makes your phone work better by identifying dropped calls and poor service, identifies problems that impede a phone's battery life, makes customer service quicker, more accurate, and more efficient, and helps [to] quickly identify trending problems."
I'll Be Watching You?
Eckhart's video clearly shows numbers entered on the dial keypad, SMS content, location, and search strings conveyed to CIQ. But the video can't show us what CIQ does with that information. Since we can't see metric profiles sent to the mobile network operators, we can't know which data are ignored, recorded or relayed.
This brings us to the heart of the issue: lack of transparency and control, for both end users and their employers. Fuss over Eckhart's report sent handset manufacturers and wireless carriers scrambling, anxious to offer reassurances and clarify their use of "experience insight" data. As of this writing, AT&T, Sprint, T-Mobile, HTC, and Samsung reportedly have issued statements describing their use of CIQ. Verizon Wireless, RIM, and Nokia have reportedly denied using CIQ. Another researcher reported finding CIQ installed on iOS3, iOS4 and iOS5 devices.
Instructions are circulating for disabling CIQ. However, caution should always be exercised when installing apps or changes from unverified sources, especially if rooting/jail-breaking is involved.
The good news is that we know more today than we did two weeks ago about what our smartphones and tablets can monitor and what our carriers claim to be tracking. The bad news is that we still have little insight into what software arrives on mobile devices at the time of purchase or via updates.
Oh, Can't You See You Belong to Me?
Carriers might argue that end users don't have the expertise to understand what's running on their handsets. And manufacturers may maintain that they only provide tools for data collection; it's up to the carrier to decide whether and how to use them.
But these arguments don't absolve manufacturers and carriers of their obligation to disclose how they collect and use personal information and potentially sensitive interactions. If the CIQ incident shines a bright light on industry practices, prompting more prominent disclosure and effective "opt out" mechanisms, all the better.
However, there's a broader lesson here for employers wrestling with smartphone and tablet support and security. While mobile device and application management systems can help IT regain visibility over software and processes running on these devices, subscribers are still beholden to manufacturers and carriers for creating and pushing firmware and OS updates.
The mobile world needs the transparency and control already present in the server and laptop world. There should be an easy way for employers to determine whether software like CIQ is present in carrier-supplied builds. Where tracking occurs, IT should be able to verify exactly what is collected and transmitted, to whom, when and how. Accomplishing this disclosure shouldn't take running a debugger or triggering a legal firestorm.
(Ed. Note - By now you surely have that song by Sting and The Police in your head. Here's a link.)
Update: As I noted above "But the video can't show us what CIQ does with that information. Since we can't see metric profiles sent to the mobile network operators, we can't know which data are ignored, recorded or relayed."
Researcher Dan Rosenberg tested this by analyzing the actual metrics supported by the version of CIQ running on his Samsung Epic 4G Touch (carrier not stated, I'm guessing Sprint). His findings are posted here:
http://vulnfactory.org/blog/2011/12/05/carrieriq-the-real-story/
Rosenberg found that at least this instance of CIQ couldn't be passing message content or keystrokes (beyond dialer keystrokes) because no metrics with that information can be queried by the carrier. Rosenberg noted that CIQ is used differently on various devices, by various carriers, but said CIQ would have to be modified to relay all the data shown in Ekhart's video to a carrier.
Rosenberg did find CIQ relaying dialer keystrokes, GPS locations, and URLs (including HTTPS URLs). But no SMS text bodies, web page contents, or email content - at least on his phone. This detailed threat analysis is critical to consider when assessing business risk; kudos to Rosenberg for publishing his findings.
But the broader lessons that CIQ teaches us still loom large. As Rosenberg concluded, "Consumers need to be able to opt out of any sort of data collection" and "There needs to be more transparency on the part of carriers in terms of what data is being collected from users." Rosenberg also argued for third-party oversight on what data is collected -- I whole-heartedly agree.