Carrier IQ Data Collection Technically Legit, Say ResearchersCarrier IQ Data Collection Technically Legit, Say Researchers

10 Top iOS 5 Apps

Carrier IQ lately has been in the crosshairs of security researchers, privacy advocates, legislators, and regulators over questions of whether its software surreptitiously monitors smartphone users, to the point where it might violate wiretapping laws.

But according to Dan Rosenberg, who's the vulnerability research practice lead at Virtual Security Research (VSR), Carrier IQ's software captures and transmits back to carriers only what is needed to help them diagnose network, application, or hardware failures.

Rosenberg reached that conclusion after reverse-engineering Carrier IQ software running on a Samsung Epic 4G Touch. He received assistance from "k0nane," the security researcher who had discovered Carrier IQ's software running on the Samsung Epic 4G in February.

"I enumerated every Carrier IQ-related hook integrated into the Android framework and examined what metrics can possibly be collected, and just as importantly, in what situations," said Rosenberg in a Monday blog post that Carrier IQ emailed to journalists.

[Some privacy concerns are overblown. See 5 Smartphone Location Tracking Myths, Busted.]

"All of the data that is potentially being collected supports Carrier IQ's claims that its data is used for diagnosing and fixing network, application, and hardware failures," he said. "Claims that keystrokes, SMS bodies, email bodies, and other data of this nature are being collected are erroneous."

In other words, the Carrier IQ software doesn't appear to currently have the capabilities that some have ascribed to it. "Carrier IQ cannot record SMS text bodies, Web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so," he said. In fact, the only keystrokes Carrier IQ can record are those made using the telephone dialer, "in order to determine the destination of a phone call," he said. "I'm not a lawyer, but I would expect cell carriers already have legal access to this information."

Rosenberg also found that the Carrier IQ software, in some cases, can record GPS location data--likely for troubleshooting reception problems--and that it can record "URLs that are being visited (including for HTTPS resources), but not the contents of those pages or other HTTP data." Security experts, however, have warned that recording HTTPS could mean that Carrier IQ inadvertently captures usernames, passwords, or other sensitive data, if developers hadn't taken proper steps to ensure that sensitive information isn't embedded in URLs, even for HTTPS.

Finally, the Carrier IQ software collects device-related information--aka metrics--as specified in a profile that resides on the device, and which is defined by carriers. "The list of available metrics are carrier-specific, but will remain constant on a given handset model," he said. "The subset of this data that is actually recorded and collected is at the discretion of the carrier, and is based on the profile installed on the device."

In other words, Carrier IQ appears to be doing what carriers ask it to do, said Rosenberg, who also emphasized that his research had been conducted in a completely neutral manner. "Neither I nor my employer (VSR) have ever had a professional relationship with CarrierIQ, handset manufacturers, or cellular providers," he said.

Meanwhile, Jon Oberheide, CTO of DUO Security, and an independent security researcher with extensive Android experience, told Threatpost that he'd reached similar findings, noting that although Carrier IQ's software could log lots of different types of data, that didn't mean that it was doing so. He likewise disputed that the software was behaving like a rootkit. "It's not trying to hide. If it's a rootkit, it's the least stealthy one ever," he said.

But Oberheide did warn that the Carrier IQ software code base could be an attractive target for attackers, especially because it hooks into so many different parts of the Android operating system. "I wouldn't be surprised if pretty soon people start digging into the code base and start finding vulnerabilities in the software itself," he said.

Although Rosenberg, for his part, found that Carrier IQ's software was technically doing what the company said it was doing, he did criticize the company for failing to be more forthright with consumers. "To satisfy users, it's important that there be increased visibility into what data is actually being collected on these devices," he said. He's also called on Carrier IQ to provide people with a way to opt out of using its software.

For the 15th consecutive year, information is conducting its U.S. IT Salary Survey. Upon completion of the survey, you will be eligible to enter a contest for prizes including a Bravia HDTV or iPad 2, and get a link to download our report once it is published. Take the survey now. Survey ends Jan. 20.