- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - More details are emerging that reveal the Carrier IQ smartphone application does exactly what the vendor says it does. These new findings directly contradict the nearly universal allegations of keylogging, spying, and tracking, all based on the uncritical acceptance of the original analysis by Trevor Eckhart.
Eckhart published his work several weeks ago in his blog and a 17-minute YouTube video, which to date has had more than 1.7 million views. His conclusions, which purport to show that the Carrier IQ code is a rootkit and keylogger, triggered a firestorm of invective, outrage, class actions suits and calls by U.S. senators and congressmen for investigations.
The new technical details about Carrier IQ emerge from one of the few attempts, if not the only one, to dissect the vendor's code and see how it works: reverse engineering by security consultant Dan Rosenberg, who this week published the details of his analysis. Another source is Rebecca Bace, a long-time security researcher, and CEO of Infidel, a security consulting firm, who met with Carrier IQ designers and developers for several days last week to review the system and, specifically, to drill into the areas of the code related to Eckhart's accusations. Bace's background includes information security and systems monitoring, especially in monitoring functions tied to intrusion- and anomaly-detection systems.
LOOK BACK: Top 25 networking & IT stories of 2011
Both say they do not have and have not had any kind of financial relationship with the Mountain View, Calif., software vendor.
The Carrier IQ software "cannot" record SMS text messages, Web page contents or email contents; and it "cannot" record text keystrokes (though it does record which buttons are pressed in the dialer app when making a phone call), according to Rosenberg, in his blog.
"I am using the word 'cannot' literally, as in 'is not capable of, in the present tense, without being altered by modifying its code and installing a new version on the phone,'" Rosenberg writes. "It seems obvious to me that CarrierIQ could be modified in the future to perform nefarious actions: so could any application on your phone."
Embedded by the phone maker with the operating system, at the behest of the carrier, the Carrier IQ program can receive from the OS specific measurements and changes in state on the device, and in some cases location data. Running a carrier-specific "profile" that identifies the subset of metrics the carrier wants, Carrier IQ then sends those metrics, as encoded data over SSL, to the server for analysis.
As such, Carrier IQ is not an after-market application but a "systems internal," according to Bace, meaning it is part of the hardware-firmware-OS configuration specified by a cell carrier when it agrees to accept a specific phone on its network. "This is not unusual in complex system environments," she says in an email. "They're analogous to firms who develop and brand specific mechanisms for operating systems, such as...log mechanisms, debuggers, drivers for specific hardware components, etc. and whose products are fielded as integral parts of those systems.