Carrier IQ Spyware

Spyware on many smart phones monitors your every action, including collecting individual keystrokes. The company that makes and runs this software on behalf of different carriers, Carrier IQ, freaked when a security researcher outed them. It initially claimed it didn't monitor keystrokes -- an easily refuted lie -- and threatened to sue the researcher. It took EFF getting involved to get the company to back down. (A good summary of the details is here. This is pretty good, too.)

Carrier IQ is reacting really badly here. Threatening the researcher was a panic reaction, but I think it's still clinging to the notion that it can keep the details of what it does secret, or hide behind such statements such as:

Our customers select which metrics they need to gather based on their business need--such as network planning, customer care, device performance--within the bounds of the agreement they form with their end users.

Or hair-splitting denials it's been giving to the press.

In response to some questions from PCMag, a Carrier IQ spokeswoman said "we count and summarize performance; we do not record keystrokes, capture screen shots, SMS, email, or record conversations."

"Our software does not collect the content of messages," she said.

How then does Carrier IQ explain the video posted by Trevor Eckhart, which showed an Android-based phone running Carrier IQ in the background and grabbing data like encrypted Google searches?

"While 'security researchers' have identified that we examine many aspects of a device, our software does not store or transmit what consumers view on their screen or type," the spokeswoman said. "Just because every application on your phone reads the keyboard does not make every application a key-logging application. Our software measures specific performance metrics that help operators improve the customer experience."

The spokeswoman said Carrier IQ would record the fact that a text message was sent correctly, for example, but the company "cannot record what the content of the SMS was." Similarly, Carrier IQ records where you were when a call dropped, but cannot record the conversation, and can determine which applications drain battery life but cannot capture screen shots, she said.

Several things matter here: 1) what data the CarrerIQ app collects on the handset, 2) what data the CarrerIQ app routinely transmits to the carriers, and 3) what data can the CarrierIQ app transmit to the carrier if asked. Can the carrier enable the logging of everything in response to a request from the FBI? We have no idea.

Expect this story to unfold considerably in the coming weeks. Everyone is pointing fingers of blame at everyone else, and Sen. Franken has asked the various companies involved for details.

One more detail is worth mentioning. Apple announced it no longer uses CarrierIQ in iOS5. I'm sure this means that they have their own surveillance software running, not that they're no longer conducting surveillance on their users.

EDITED TO ADD (12/14): This is an excellent round-up of everything known about CarrierIQ.

Posted on December 5, 2011 at 6:05 AM • 44 Comments

Comments

wiredogDecember 5, 2011 6:16 AM

Apparently this isn't installed on Verizon phones.

I wonder what their version is called?

Section9_BateauDecember 5, 2011 6:26 AM

There are only two things that surprises me about this:
1) This is the first big public mess about this sort of functionality being included in phones without user knowledge, consent, or understanding.
2) This is a carrier-based application/service/package, rather then one of those actually in the handset from the manufacturer.

Sadly I am under a number of NDAs, and I am not sure how knowledge of violation of privacy laws or requirements would affect them, without knowing for sure I would be in the clear making what I've worked with public, all I will say is that I've seen first hand, time and time again, that the companies that make your mobile devices collect just as much, if not more information then the carriers, and good luck getting them to be honest about it, or comply with legal, regulatory, or other requirements.

BarbieDecember 5, 2011 6:48 AM

Indeed, just the fact that the application receives keystrokes and SMS means nothing about what they do with the data. The researcher showed they receive the data. That's about it. Really, if you think about it, the network proviers do control the OS they ship on the device, and can to some extent do whatever they please there. The only thing that makes this news worthy is that it was done out of the OS. Now, imagine the same company actually modifying the OS to do the same thing. We would not even know about it.

I tend to agree with their line of defence. Ultimately, the network operators are the ones that should answer to what the hell they do on our phones...

MichaelDecember 5, 2011 7:01 AM

Perhaps the most disgusting and criminal thing about this, if I read Trevor Eckhart's post right, is that anything being sent over HTTPS, like usernames and passwords, is also being read straight from the browser by this malware, and essentially broadcast in plain text.

wiredogDecember 5, 2011 8:07 AM

One thing to remember is that, no matter which carrier or OS, even if you're running CyanogenMod, the carrier already collects information on everyone you call or who calls you, and everyone you text or who texts you.

Given that the texts go through their switches, unencrypted, why don't they just gather them there?

BrianDecember 5, 2011 8:20 AM

@wiredog:

Your question assumes that the worst case scenario of CarrierIQ actually collecting personal data is really what's happening. As you point out, there's not much reason for a carrier to grab personal information from your phone, since your phone already sends that over their network. It actually makes more sense that CarrierIQ just gathers the non-personal, service quality data they claim, since that's something the cell network wouldn't otherwise have access to.

I don't really like the idea of carriers installing ANYTHING on my smart phone without telling me. But I'm not sure it makes sense that CarrierIQ is as bad as some people think.

DougDecember 5, 2011 8:27 AM

Pardon the noob question, but is this particular to smartphones, or is my non-3G Android tablet susceptible, too?

vedaalDecember 5, 2011 8:34 AM

There might be a lucrative opportunity for a niche market where a carrier specifically DOES NOT collect information, and can openly show that it does not ...

Steve PomeroyDecember 5, 2011 8:52 AM

I'm not sure exactly what debug level is needed to display the logs in the "easily refuted lie" video, but one thing that's particularly worrysome is that it appeared as though he was looking through the debug logcat - which is essentially a public log. Applications can request permission to be able to read this log (and many do, including ones that are popular), so if there's any sensitive information there it could be leaked to non-CarrierIQ applications that know to look for it.

Steve PomeroyDecember 5, 2011 8:55 AM

Doug: I suspect CarrierIQ is installed mostly on phones, but could certainly run on an Android tablet. You'd have to look up your specific device to see if it has it installed.

BF SkinnerDecember 5, 2011 8:56 AM

Register has an interview with some IQ marketing VP here http://www.theregister.co.uk/2011/12/02/...

He claims to be a fisher of, well not men, i guess but does that the software MUST monitor keystrokes listening for calls to the api

He also wants everyone to know they ain't collecting data for IQ - just their customers.

Register - "What's the reason for monitoring outgoing key taps, key taps that are typed into a Google search, for instance?"

IQ - "There are a sequence of key codes that can be typed by the user that cause the software to do things in the control center. For example, you can be on the phone with support and they'll say key dial this number and that will cause an upload to take place at that particular point in time."

BF SkinnerDecember 5, 2011 8:59 AM

@Bruce " initially claimed it didn't monitor keystrokes "

Until I hear more I'm inclined to give them a pass on this. I've seen too many exec's speak on behalf of their software without knowing, really, how it works.

Most are down to 5 minute elevator pitches and the details are left to the engineers. Who no doubt were shaking their heads saying "I never told any one that."

Kevin GranadeDecember 5, 2011 9:20 AM

@Brian
I don't really like the idea of carriers installing ANYTHING on my smart phone without telling me. But I'm not sure it makes sense that CarrierIQ is as bad as some people think.
Consider the security implications of this, whether they plan on doing anything 'bad' with the information or not, they have exposed the information, which means the 'bad guys' can get at it more easily.

Canary in a data mineDecember 5, 2011 10:15 AM

Looking at the tracking/logging bit is interesting.
Telco security fraud would be simple to do with this. It would be interesting to see if spoofed calls to the number do something. It could for example trigger NSA's Call Data Registry. I don't think there's a column on the CDR table yet for duration of call. For example, when you are targeted via the phone system, and you receive hang up calls from numbers that you don't know. They might be "hot" numbers for the FBI/NSA to watch. No evidence necessary.

xyzDecember 5, 2011 11:30 AM

Bruce:
"Apple announced it no longer uses CarrierIQ in iOS5. I'm sure this means that they have their own surveillance software running, not that they're no longer conducting surveillance on their users."

Well Siri is constantly running so who knows maybe it picks up a piece or two...

kingsnakeDecember 5, 2011 12:54 PM

I learned long ago to never put anything in electronic form -- no matter how "secure" -- which I would rather other people not know.

Lack of IQDecember 5, 2011 1:01 PM

They say that they don't record keystrokes but they do record URLs. Google has the search term in the URL so it seems that they can see encrypted searches which is what was originally alleged.

D B CarrollDecember 5, 2011 1:02 PM

With regards to monitoring all keypress events, it may be that, on phone OS's, it is the only way for the client to monitor any keypress events -- like SetWindowsHookEx in Windows. What we need to know is, what gets logged and uploaded, what gets logged and kept locally for some period of time for batch processing later (and thus might be found and read by a third party), and what gets ignored immediately. In the Register interview it sounds like most keypresses are skipped immediately, but it's hard to be certain, since the Carrier IQ guy doesn't clearly distinguish between filtering on the client and filtering later, on some server.

One thing that the Reg's interview did not follow up on is the following:

In other words, a phone with Carrier IQ on it may receive an SMS that has formatting in it that calls some sort of an API?

Right.

This sounds like a major potential security hole. If the formatting of Carrier IQ's control messages becomes known, as now seems likely, then unless they have some sort of strong authentication mechanism for their control messages this could easily be a way for an attacker to siece control of the phone via a text message. Any bets on the strength of their authentication?

Another area of concern from the intervew that needs follow-up. Carrier IQ says:

Does that mean SMS messages are never logged?

The content of SMS messages are never logged. There are two things that happen when SMS messages are received. One is, obviously, we count them, the ones that succeed, the ones that fail. We do also record the telephone numbers the SMSs are from and to.

...

The content of the SMS is never stored and never transmitted.

...

How much data on the average phone running Carrier IQ is actually transmitted in a day, a week or a month?

This is a really important point because obviously the more that you take off a device the more processing power you'd need. If we were doing everything that was claimed, we'd be outstripping Google for requirements of architecture.

The typical upload in for customer care information is about 200KB. That's about 200 times 1024 characters.

...

What percentage of that 200KB do you reckon is radio conditions? Would it be 80 percent, 20 percent?

It varies depending on the customer. It could be as much as 80 percent. Our advice to customers is to keep it within that 200KB framework.

How is this data transmitted? If it is ever transmitted over wifi, is it encrypted or not? If not, does it include positional data and incoming/outgoing phone numbers? If so, this would be extremely private data that is transmitted over the public internet.

As to the precise data collected, I reckon Carrier IQ can't say because of NDAs with the carriers who install their stuff. So we would need to get a statement from each carrier as to exactly how they configure carrier IQ and what it transmits to them. For instance, are complete URL's ever uploaded? It sure sounds like they could be -- and I see no legitimate reason for the Carrier IQ client to need to monitor entire URLs (as opposed to, say, server connections at the time a call is dropped).

@ wiredog - one reason to install monitoring software on the phone is to record what you do over wifi connections. The phone company can't see that -- and I see no reason why they should need to see it in order to monitor the quality of their own network.

S ClausDecember 5, 2011 1:32 PM

If Carrier IQ says that they "do not collect user data", it is possible that they are telling the truth.

Because it could be that they do not collect it. However it could be...:
A. that Carrier IQ forward the data directly to some other company / organization
B. that the phone carriers are doing the collecting using Carrier IQ software
C. that the phone carriers are forwarding the data directly to some other company / organization

It would not be the first time within the last few years that U.S. phone companies have been found working with the alphabet agencies.

xorDecember 5, 2011 1:37 PM

@Section9_Bateau...
"...that the companies that make your mobile devices collect just as much, if not more information then the carriers..."

I hope that is not supposed to be a "they do it too" defence(?)

And what NDAs are you supposedly under?

If you are under some NDAs with phone carriers then you should be able to provide some info that proves your allegations about the manufacturers.

Nelson ElhageDecember 5, 2011 1:42 PM

It's worth linking Dan Rosenberg's analysis of CarrierIQ, in which he reports the results of reverse-engineering the software to determine what it actually does and does not connect and transmit.

R CoxDecember 5, 2011 3:29 PM

I would like to add a third. If what I have read is correct, that this software might include key logging, the data transmitted might include non public sensitive data, such as passwords and credit card information. As many phones can and do use public WiFi connections, such data might be transmitted back to carrier through these public connection that are in principle insecure. It is unclear if or how the data is secured prior to being transmitted, if it is at all.

Alex ScobleDecember 5, 2011 3:37 PM

No, it actually isn't worth mentioning Dan Rosenberg's analysis at all as it's done on a Samsung phone, whereas Trevor's research was done on an HTC phone.

And it doesn't matter at all if the data is sent to Carrier IQs or the Telcos. It only matters that the data is output to phone memory in plain text.

That anyone in the security space thinks that this is ok is completely infuriating.

Carrier IQ is a rootkit keylogger, is obviously malware by any definition of the word and breaks just about every security best practice.

It is an abomination and I'm severely pissed that it's on both mine and my wife's phones.

Also, the cell companies do not directly control what software is installed on the phones. That is done by the phone manufacturers. So when HTC, Samsung, Apple, etc. say they aren't at fault because the cell providers wanted them to do it, they have the power to say "this software is a completely bad idea and we won't install it for you, period."

Sprint, Samsung, HTC, Apple, etc., should all be ashamed that they chose to install malware on their phones.

zorroDecember 5, 2011 3:47 PM

HTC (the manufacturer Trevor used in his research) by the way had (has?) another security vulnerability discussed here at Schneier's Pub about two months ago.

Just like this issue with CIQ, that one (a backdoor) also appeared (supposedly) only on phones made for the U.S. market.

Not sure but perhaps these events tell something about HTC at least.

db CooperDecember 5, 2011 3:52 PM

Perhaps those familiar with US law can elaborate further about this.

Given the reported behaviour of this malware is in violation of the carriers stated privacy policies, should not impacted users have a case for terminating their contracts with no "Early Termination Fees"?

uniqueuserDecember 5, 2011 4:15 PM

The outrage about Carrier IQ is certainly justified but keep in mind that facebook is doing even more terrible things with your sensible data yet everybody uses it. Many who are deeply concerned about this kind of spying are being being silent on what facebook, their ISP and the NSA does!
It really bothers me. It bothered me so much this afternoon that I started blogging again after not posting anything for 4 years! lol
http://unique-user.blogspot.com/2011/12/...

Clive RobinsonDecember 5, 2011 4:21 PM

I made comment on the CarrierIQ interview with El Reg over the weekend on the then current Friday Squid page,

http://www.schneier.com/blog/archives/2011/11/...

The point people are missing is that this data is being sent in that 200-400Kbyte message back to the network provider or CarrierIQ servers, effectivly in plain text.

Now also in my post I linked to an article by the journalist Duncan Campbell about a Privacy International (PI) investigation into commercialy available tools being pushed in the direction of represive regimes by companies from Britain, China, America etc.

These tools would easily be able to read this 200-400Kbyte block "off air" with equipment that easily covers a 1Km range...

If people are not worried about this then they realy should be because it will be comming to a local LEA near you any day soon, if it has not already (I've been told the Met Police have a serious interest/commitment in this sort of thing).

As Kingsnake has observed and NobodySpecial before him (over on the HD full encryption page) and Juilan Assange did at the London City University organised event we are in effect "totaly s(r3w3d" and should not in any way entrust any kind of sensitive data to a smart phone...

zzzDecember 5, 2011 4:27 PM

I wonder how many U.S. laws this violates if they record keystroke events anywhere... here's a couple cribbed from a slashdot post ( http://yro.slashdot.org/comments.pl?... ):

PCI DSS (The Payment Card Industry Data Security Standard). If people type credit card numbers or CVV2's, and this stores it..

GLBA (Graham Leach Bliley Act). If PII is recorded, transported, stored without user's knowledge/consent.

Sarbanes Oxley. If they don't disclose that they do this to their investors, and perform the proper audits etc.

..Then again, here's a claim that Carrier IQ doesnt actually store most of the stuff that it has hooks to respond to.
http://yro.slashdot.org/comments.pl?...

D B CarrollDecember 5, 2011 4:41 PM

I'm a Windows developer not a phone developer, so I'm not sure I fully understand Trevor's video. Is he showing:

1. Messages being passed to processes, like Spy++ on Windows?

2. Content output to the filesystem, like Process Monitor on Windows?

3. Content uploaded via some network connection?

4. Something else I don't understand.

I am almost certain it is not #3.

Thanks!

section9_bateauDecember 5, 2011 4:43 PM

@xor: I am under NDAs with a major manufacturer, as well as both software and service providers serving multiple manufacturers. I also am under NDA with a company that specialized in serving carriers in the role of infrastructure design and support.

My work included preforming Privacy Impact Assessments as well as security testing and review for new development projects. In the dozens of assessments I preformed (from starting interviews to actual MitM traffic analysis and code analysis, to final reporting), I do not believe I found a single project in compliance with local regulations, corporate policy, or best practices.

My assignments also included several systems that were in production use as part of compliance requirements with local regulations, and those projects generally were no better. What opened my eyes the most of all was one project I reviewed 3 times, and all 3 times, they failed on more-or-less the same issues, but upper management kept on deciding "pressing business needs" overruled the clear issues they had, and kept approving them to advance to the next implementation/testing/full deployment phase. Later I realized the ONLY time I did not see that decision happen was once when the team found a critical issue with DRM shortly before the product was to be publicly released. That release did not go as planned, to say the least.

It sure as hell is not a "they do it too" defense. I wish I could say they were better, but in my experience, they have better tools to aggregate the information, and more stealthy ways to collect it. They know it, and they use it.

GodelDecember 5, 2011 5:16 PM

In the Help Net Security article link below, in a survey of 5572 users only 21 had CarrierIQ on their phones, and they were all from the US or Puerto Rico.

http://www.net-security.org/secworld.php?id=12052

Of course the company's denials that they don't log actual key strokes means nothing when they optionally have the capability.

JonDecember 5, 2011 10:42 PM

Rule o' thumb: If it can be abused, it will be abused.

Even more so if it can be done secretively, profitably, with plausible deniability, and no effective punishment even if you do get caught red-handed.

Finally, they admit all the capabilities are there, and we're going to trust a PR flack to say, "Oh, but we would neeevvaaahh do THAAAATT"...

J.

CalebDecember 6, 2011 8:46 AM

My rooted, re-imaged with CyanogenMod phone is looking pretty good now.

I don't think I'll ever run a stock image from a mobile vendor ever again.

justcauseDecember 7, 2011 4:50 AM

@ section9 bateau

I hope you did not post from your phone- guess who will be looking and trying to find you- the companies who you signed NDA with?

hopefully you used an anon service or but wait there owned by the gov and let me guess the gov monitors this website by bruce

I guess there is no safe haven

Jim RamseyDecember 7, 2011 5:43 AM

This is a serious if not really smart question.

Wouldn't someone in law enforcement or the military or with a security clearance want to avoid CarrierIQ?

Or..

What about someone whose work involves HIPPA?
Wouldn't they want to avoid CarrierIQ?

ZachDecember 7, 2011 8:39 AM

On the iphone go to Settings>General>About>Diagnostics & Usage.

You can set "Automatically Send" to "Don't Send," but I'm not sure if that stops all the spyware. You can also click the "Diagnostic and Usage data" button to view individual logs, but I have no idea how to interpret them.

section9_bateauDecember 7, 2011 8:55 AM

@justcause
I didn't use any protection service, because I was careful with what I said, and I know for a fact the company has suffered severe legal punishments in my jurisdiction for acting on people saying less then I did on other issues when they do not have the legal authority to track them. Some people there know this is me, and a good many of them have problems with what they do. Me, I left that line of work (consulting), and now I deal in security of administrative communications/protocols, and work full time for a single company, not 1-2 week contracts.

And I sleep much better at night now as well!

vanillaDecember 7, 2011 6:59 PM

@ Jim Ramsey ... HIPAA ... something like Health Information Portability & Accountability Act ... that's probably fairly close ... and yes, it matters a great deal. Especially if what you think is transmitted 256 AES encrypted is also backchannel transmitted in plain text, and every incidence counts as a separate, fineable event.

What was his name? Beria? He would be so mad he was born 100 years too early if he knew what kind of instant dossier creation capabilities governments, industries, the savvy elite, and technocriminals have today.

@ Alex ... right on. I JUST got a smartphone again after a several year hiatus ... haven't had it a week, and guess what I found two nights ago after I heard the news about CIQ? Yep! Me, too. Sick of it.

x-rDecember 16, 2011 11:34 PM

Everyone seems to be overlooking the fact that the logged data is being sent from the phone directly to CarrierIQ's servers. The carriers receive only a digest of the data after it has been parsed by the CIQ servers.

I know the carriers always know the geographic location of my phone, that is required by the physics of the network. But the carriers have telephone DNA and are closely monitored and regulated by federal wiretap and telecomm laws. CarrierIQ, on the other hand, is a five year old Silicon valley startup that will sell anything for a buck. It is always searching for new ways to "monetize" the "social data."

And the most sensitive bit of data on the phone is not keystrokes, it is location, which is the one thing CarrierIQ readily admits to logging.

As an aside, it requires less than 1MB to record the location of a person at 5 minute intervals for an entire year. Once recorded, that information will live forever and be available for datamining at any future date. It one thing to give that information to a regulated carrier, quite another to let some random startup gather it. If CIQ's website is to be believed and its spyware is on 141 million phones, there is a very good chance Carrier IQ knows exactly who is in the room with you, right now, everyone you have ever met, and everywhere you have ever been, for the past three years and counting.

The "profiles" that CarrierIQ sends to the phones are sent in SMS messages. This has three major implications:

1: The data collection profile can be changed at any time, without user notification.

2: The device-resident CarrierIQ monitors and parses all incoming SMS messages to detect and divert the control messages.

3: SMS is a public transport, so anyone who has access to the CIQ control message format can re-profile any phone.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..