Friday, 16 December 2011 07:24

CarrierIQ is a Keylogger after all; maybe…

Written by

Reading time is around minutes.

84After hearing from some of the top security analysts that CarrierIQ did not have any means of logging key strokes on a mobile device we now find that it does have that and can be asked to transmit the data to CarrierIQ.  Additionally there is evidence that CarrierIQ has captured SMS messages (due to a programming “glitch”). This new information came out of the letters sent in response to Senator Al Franken’s direct questions to CarrierIQ and the companies that utilize the software.

The CarrierIQ story broke a couple of weeks ago when a developer stumbled across something that just did not seem right. There were applications that he could not stop and did not show up as installed. When he checked to see what these applications were doing it appeared that they were capturing information from the phone including keystrokes, SMS data, Phone Numbers dialed and more. This discovery kicked off a media storm which took quite a while to settle so that real information could come in.

The chaos was enough to attract Senator Al Franken (who also introduced a new bill regarding the collection of cell phone users’ location data). He has demanded answers to some very pointed questions from CarrierIQ and the Service Providers and Manufacturers that use it. Some of the responses are in and have been posted on Senator Franken’s website. We have gone through them and were surprised at what we have found.

Starting off with AT&T the first thing we noticed was a possible false response to the question on how long they have used CarrierIQ. In the response to Senator Franken they claim they started in February of 2011. However Apple claims that they only removed CarrierIQ from their phones with the release of iOS 4. iOS 4 was released September 8 2010. If this is the case, then CarrierIQ was on at least one AT&T handset before their claimed start date. AT&T also stated that they are actively collecting data from around 500,000 phones

Next is a line that should be of concern to any AT&T phone owner “as a result of a programming error related to the capture of signaling data associated with voice calls, the CIQ software also captured the content of SMS text messages when – and only when – such messages were sent or received while a voice call was in progress” This little line indicates that the ability to capture entire text messages is present in the CarrierIQ software. This is something that CarrierIQ has denied.

Next up is “AT&T’s version of the CIQ Software is programmed to be aware when keystrokes are entered on the device, but the data entered on the keypad is not collected by the CIQ agent or downloaded to the secure AT&T server.” AT&T then goes on to say that they do not collect URLs (which is not exactly true as their network hardware will collect that in the course of routing the traffic, they just do not use CarrierIQ to accomplish this.

The rest of the response, while interesting is not as troubling as these items above.

Sprint’s response looked like it was more open on the surface. They admit to using CarrierIQ since 2006 on a variety of devices, but that unless they are actively tasked the software is not sending any information back. They state that they can have a maximum of 1.3 million devices reporting data, but that the average group sized used for testing is around 30,000. Sprint also makes a very important statement. They say that CarrierIQ designs specific profiles to be used for each carrier. This means that functionality on one carrier might not be on another. It also makes it look like CarrierIQ has the brunt of the responsibility for user data as Sprint goes on to say that the collected data goes to sprint and then to CarrierIQ for analysis (one it has been “anonymized’).

Sprint also admits to collecting URLs entered on the phone, but then goes on to state the fact that their routing equipment has access to this data anyway. The same is also true of location data and phone calls made. Using CarrierIQ simply allows them to collect sample data easier.

The handset manufacturers (Samsung and HTC) all pointed the fingers at CarrierIQ and the Carriers. This is not unexpected as they are not direct sellers to the public and feel that they were only responding to customer requests to include another application. This is not to say that they are not in the wrong here, but more that none of the data collected goes to them anyway and most of the entries were marked as not applicable.

CarrierIQ’s response seemed to refute what the carriers are saying. They are still standing by the statement that they cannot collect Keypress information (something that AT&T and Google’s CEO Eric Schmidt says they can). They do admit to the bug that AT&T mentioned (sprint made no mention of this as simultaneous voice and data is only possible when running 4G and is limited in its scope of use), but go on to say that the SMS data is not readable because it is embedded in the Layer 3 signaling data and is not readable unless CarrierIQ writes a new application to decode it (which they say they have no intention of doing).

After this little discourse there is a statement that just sounds wrong. Yesterday we posted a story about a FOIA request to the FBI asking them if they are using CarrierIQ data and for any manuals etc. on this topic. The request was denied saying that the release of this information would impact an ongoing investigation. Now, either the FBI is investigating CarrierIQ or they have an investigation into someone using CarrierIQ. Yet in the response to Senator Franken they denied that ANY data has been sent to law enforcement agencies. So either the FBI is lying or CarrierIQ is.

All of the responses say that each company feels they are in compliance with the privacy laws and that their customers were aware of data collection practices (even if they did not know the extent or the means).

Senator Franken is still not satisfied with the responses and plans to push his investigation further. Meanwhile the FTC and FCC are also looking into the matter. It is going to be a rough few weeks for CarrierIQ.

You can read all the responses on Senator Franken's site

Discuss in our Forum

Read 2308 times Last modified on Friday, 16 December 2011 07:32

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.