Carrier IQ Myth Versus Reality

Tech journalism: When the legend becomes fact, print the legend

Loading the podcast player...

Steven Cherry: Hi, this is Steven Cherry for IEEE Spectrum’s “Techwise Conversations.”

Sometimes the world just gets ahold of an idea and won’t let it go. There are no alien carcasses in Area 51; reading in the dark doesn’t ruin your eyes; Al Gore never claimed to have invented the Internet; and Carrier IQ isn’t capturing your every smartphone move. The idea that it is, though, is pervasive. It started back in October when a Connecticut sysadmin named Trevor Eckhart published an analysis of the software. The story came and went.

Then Eckhart posted a YouTube video in mid-November, and all hell broke loose, despite denials by Carrier IQ and several phone companies that the software was doing anything other than compiling and sending diagnostic information. A lawsuit against phone manufacturers, including Apple and Samung, was filed in a federal court. The Federal Trade Commission began a formal investigation. And the stories that Carrier IQ is capturing everything you do on your phone just keep coming.

For example, here’s Wayne Rash, normally a terrific journalist, in an eWeek article in which he praises RIM, the maker of the Blackberry, as a rare phone manufacturer that makes Carrier IQ easy to delete. Last week, Wayne wrote, quote: “Allowing a piece of software to exist on its devices that has the capability, whether it's used or not, to record keystrokes, text messages and e-mail...compromises the security of BlackBerry devices in a way RIM has never tolerated.”

This was a full month after Carrier IQ itself stated point-blank in a press release [PDF], “Our software does not record, store, or transmit the contents of SMS messages, e-mail, photographs, audio, or video.”

It was also several days after security researcher Dan Rosenberg wrote up a detailed analysis that he did. In it, he spelled out everything the software can possibly collect and concluded, quote: “Carrier IQ cannot record SMS text bodies, Web page contents, or e-mail content, even if carriers and handset manufacturers wished to abuse it to do so. There is simply no metric that contains this information.”

My guest today is Dan Rosenberg. He leads the vulnerability research practice at VSR, a Boston provider of security consulting services to banks, retailers, and software makers. He specializes in kernel security and mobile device exploits. He’s working off-site today and joins us by phone from a secure location in southern New Hampshire. Dan, welcome to the podcast.

Dan Rosenberg: Hi. Thanks for having me, Steven.

Steven Cherry: Dan, it all gets pretty complicated pretty quickly. There’s the operating system, there’s the phone itself and its software, then there’s the carriers—and they have their own software—and these metrics. And then there’s Carrier IQ, which I guess customizes what it does for each carrier and maybe for each phone? Tell us how it all works.

Dan Rosenberg: Sure. So Carrier IQ is a Silicon Valley software company and their customers are not users of the phones, their customers are the cellular carriers and in some cases the handset manufacturers. So what they do is, they provide is, a piece of software that the OEMs or handset manufacturers like HTC and Samsung then install on the phone. In turn, the handset manufacturers also integrate into the Android operating system points of data collection, places where they would like data to be sent to the Carrier IQ application that they have installed, and this sort of dictates what kind of information can be collected by the Carrier IQ software, which ultimately is just responsible for receiving information that’s sent to it by the operating system and then ultimately uploading that to the carrier. The other sort of layer to this is that the carriers are the ones who dictate a profile, which is pushed through the device and is sort of a configuration file that indicates which pieces of information they’re actually interested in recording and collecting. Carrier IQ designs the software; the handset manufacturers integrate it into the phone and actually write the code that’s responsible for submitting what are called metrics, which are these pieces of data they’re interested in collecting; and then the carriers have the final say in what subset of that data they’re actually interested in recording and keeping.

Steven Cherry: So, what information are they interested in recording?

Dan Rosenberg: Based on what I’ve seen, the biggest chunk of value Carrier IQ is providing is a really high degree of granularity in seeing things like radio and telephony events. So most of the metrics that they’re collecting have to do with service outages and dropped calls and things like that, where having an agent running on the phone is really helpful to them because if they drop a call, they obviously don’t have communication with the phone at that point in time, and it may be very difficult to gather information about what may have caused that disruption in service.

Steven Cherry: Okay. Dan, Carrier IQ said in its press release, “We understand whether an SMS was sent accurately but do not record or transmit the content of the SMS. We know which applications are draining your battery but do not capture the screen.” So in your testing, you found that not only doesn’t Carrier IQ record or transmit the content of the SMS, for example, but it cannot. Tell us about the testing you did, and what you found.

Dan Rosenberg: Sure. So as I just mentioned, there’s sort of two pieces in terms of the software that’s living on these phones. There’s the portions of the operating system that have been modified by the handset manufacturers to actually submit data to the Carrier IQ application—they call that the “porting layer” in sort of Carrier IQ–speak,—and then there’s the actual Carrier IQ agent, which is the software that was actually written by the company Carrier IQ, and that’s sort of what receives this data that’s sent to it by the operating system. So in order to analyze what data was being collected, I took essentially the entire Android system framework off of several Android phones that were running Carrier IQ and reverse-engineered them. I decompiled the code to understand exactly what metrics were being submitted to the Carrier IQ application, and in doing so I basically created a comprehensive list on the devices that I tested of exactly what metrics are being submitted to the application.

Steven Cherry: So basically you found that, as I mentioned in the intro, there just aren’t any metrics for the things that people are worried the phone company is capturing and recording and so forth.

Dan Rosenberg: Right, exactly. I mean, some of the things that have been claimed, like e-mail bodies and SMS bodies and Web page contents—that information is just not supported by Carrier IQ at all. The application has no mechanism by which it can sort of package and hang on to that kind of information. It’s clearly not a supported feature.

Steven Cherry: In your analysis, it looked like there were some screen captures of this sort of thing. These metrics are really just sort of like one-line records of events that happened, right? That a call was dropped, for example, and this was the power level and things like that?

Dan Rosenberg: Yeah, exactly, I mean it’s in their interest to keep the amount of data they’re collecting as small and relevant as possible, because ultimately all this gets uploaded back to the carriers, and that’s bandwidth that they pay for, not that you pay for.

Steven Cherry: And I gather that this is the sort of information that someone’s only interested in the aggregate, that so many phones in this area are using this cell tower or had dropped calls over the space of this 2-hour period or something like that.

Dan Rosenberg: I’d say so, yeah.

Steven Cherry: That sounds like an extremely time-consuming amount of analysis and then testing that you did. How long did it take you?

Dan Rosenberg: Well, I had actually been studying the Carrier IQ application prior to Trevor’s blog post and video. Despite the recent media uproar, where Carrier IQ is suddenly something that everyone knows about, the Android community has known about Carrier IQ for some time now, and it’s been on devices for at least a year or two, probably more than that. So I undertook an analysis on my own initiative, just because I was interested in seeing what data this thing was collecting, what was it doing, how did it work. So when this huge media frenzy came about, I really felt that some facts needed to be brought to light.

Steven Cherry: Dan, just to step back from the technology for a moment, this story seems to have legs that no amount of debunking, including this podcast, will ever overcome. Do you think that the idea of the phone company as Big Brother spying on us is just one of those ideas that’s too deeply embedded in our culture or something?

Dan Rosenberg: Well, I want to be careful in answering that question because I don’t think that the sort of image of cell carrier as Big Brother who’s spying on you and really wants to know absolutely everything about you is entirely founded, but I do think it’s important to advocate for consumer privacy and increased visibility into what kinds of data is being collected from users. So I think that’s ultimately something positive that did come out of this, despite the possibly irreparable damage that has been done to the reputation of Carrier IQ, the company.

Steven Cherry: Yeah, so you said that the Android community was aware of and interested in Carrier IQ for some time, and I guess it’s basically because people want to know exactly what the companies are collecting and what software is on the phone and what exactly it’s doing.

Dan Rosenberg: Exactly, and I think a lot of this would have been prevented if carriers had provided explicit mention that “this software is running on your phone, this is what it collects, this is what we keep, here are our data retention policies, and if you don’t agree to the collection of this data, you can opt out of it.”

Steven Cherry: I wonder if also, maybe this is part of what you’re saying as well, the Big-Brother-spying-on-us idea, it’s not true, at least in this case, but it is a bit close to things that aren’t exactly false. Al Gore never said he invented the Internet, but maybe he did try to take more credit than he deserved and maybe not just the Internet. And the carriers are not spying on us with Carrier IQ, but they did help the NSA spy on us, its customers.

Dan Rosenberg: Sure. I mean it’s definitely, like I said, something that people need to be aware of, and there does need to be much better transparency into how all of this works: what they’re doing with your data.

Steven Cherry: Do you think that’s as true on Android as it is on the iPhone? There seems to be an inherent bit of transparency for Android that doesn’t exist with the Apple products.

Dan Rosenberg: I think that’s true to some extent, Android being an open operating system, but it’s also important to keep in mind that software like Carrier IQ is entirely aftermarket software. So they take the open-source Android operating system, and by the time you actually get it on a phone, it has a huge amount of additional software that’s been put on there at the request of the carriers, the handset manufacturers, so in many ways it’s not very different from a more closed platform in that you don’t really know everything that’s running on your phone unless you really dig in and have the technical ability to reverse-engineer the software and see what it’s doing.

Steven Cherry: Well, Dan, even though this idea will probably never go away, there’s a healthy minority of people who really do want the true story, and we flatter ourselves at Spectrum that that healthy minority is in fact the majority when it comes to our readers and listeners, so thanks for figuring out the true story and for spending this time with us today.

Dan Rosenberg: No problem. Thanks for having me.

Steven Cherry: We’ve been speaking with Dan Rosenberg of the Boston security consultancy VSR, about the ways in which cellular carriers can’t monitor their customer’s phone activities with Carrier IQ software. For IEEE Spectrum’s “Techwise Conversations,” I’m Steven Cherry.

This interview was recorded 19 December 2011.
Audio engineer: Francesco Ferorelli
Follow us on Twitter @TechwisePodcast

NOTE: Transcripts are created for the convenience of our readers and listeners and may not perfectly match their associated interviews and narratives. The authoritative record of IEEE Spectrum’s audio programming is the audio version.