Skeptics Find Flaws in Carrier IQ Application Analysis
Only now are some skeptical voices being raised that the case against Carrier IQ may be a rush to judgment without a real, or at least an adequate, basis in fact.
The company has been pilloried the length and breadth of the World Wide Web for the better part of a week, accused by a growing chorus of selling smartphone spyware in the form of a rootkit and keylogger to mobile carriers. The accusations and outrage hinge on a YouTube video posted by a 20-something systems administrator, Trevor Eckhart, purporting to show the smartphone program recording keystrokes and seeing SMS text messages. Yet Eckhart failed to use some basic tools that could have confirmed what he, and many others, think he saw.
Earlier this week, Sen. Al Franken (D.-Minn.), on the basis of Eckhart's video and on blog posts and news accounts also based on it, "demanded" answers from Carrier IQ about what the software actually sees and does.
The skeptics aren't getting much help from either Carrier IQ itself or the carriers using the software. The software vendor shot itself in the foot by slapping Eckhart with a cease-and-desist letter, which it later withdrew and for which it apologized after the Electronic Freedom Foundation took on Eckhart's case. Since then, the company has refused repeated requests to give any technically based explanation of how its software actually works, though this started to change Thursday, Dec. 1 (See: "Carrier IQ again asserts no user data logged or sent"). The two U.S. carriers using the software, AT&T and Sprint, simply repeat that they only collect device and network data, such as dropped calls or failed SMS message, that lets them improve their smartphone service.
Despite the presence of online forums, hacking sites, social networking and the World Wide Web, apparently no one has attempted anything like a "peer review" of Eckhart's conclusions. The video and posts purport to show that Carrier IQ's Android client software is logging a range of user activities, including individual touches to the phone's screen, and then sending them to a server for analysis. Eckhart has not responded to two Network World requests, via email, to talk about his analysis.
Eckhart's 17-minute YouTube video is the basis for allegations that Carrier IQ is spyware, and that -- whatever its stated purpose is -- its real goal (and the goal of the carriers using it) is to watch, capture and exploit detailed private information about smartphone users. In the tidal wave of news stories, blog posts and Web comments, Eckhart's video is accepted unquestioningly as "proof" that Carrier IQ, in the hands of carriers, is already carrying out a surreptitious, pervasive surveillance campaign or has the capacity to do so.
"The interpretation of the video is inaccurate," says Dan Rosenberg, vulnerability research practice lead for Virtual Security Research, a Boston-based consultancy. For the firm, Rosenberg specializes in application and network penetration testing and code review, sometimes with reverse engineering code. He also does security research in these areas, especially on the Linux kernel and the Android operating system.
He first blogged about his reservations in a brief post at Pastebin.com. He went into more detail with Network World this week.
"The video depicts that Carrier IQ does react to events like typing a key," Rosenberg says. "Trevor jumped to the conclusion that this means they are recording all your keystrokes and sending them to the carrier. That would be a major violation of privacy. But that's not what's happening based on my analysis."
Rosenberg had known of Carrier IQ, and in early November, before Eckhart released his conclusions, began to reverse engineer it. "It's installed by default on smartphones, and no one has the ability to remove it, and it does collect data and send it to carriers," he says. "There's a potential for abuse, and I wanted to analyze it and understand it."
He copied the Carrier IQ software from several HTC and Samsung Android phones and loaded it into a disassembler to expose and read the machine instructions. What he found was a large, powerful program with a lot of capabilities. Rosenberg says he did not make an exhaustive study of all the program's features. But after Eckhart's video was posted, Rosenberg refocused his attention on the alleged keylogging and transmitting features.
Eckhart's video actually shows debugging output, Rosenberg says, which is intended to let developers go through a program line by line to iron out problems. As such, displayed in a debugging buffer, these details are not stored on disk or collected as data, he says.
"They are not actually storing keystroke data at any point, anywhere," Rosenberg says. "Much less sending the data back to carriers."
Temporarily putting this information in a debugging buffer is a questionable practice, he says. "They're printing debugging statements that show keystroke data," Rosenberg says. "That's not an immediate threat, but it's sort of like why you don't want to write down your password: so you don't have sensitive data lying around somewhere. But that [practice] is not like logging data and sending it to carriers."
Rosenberg says he has talked with Eckhart several times, and specifically about Eckhart's interpretation of what the debugging buffer revealed. Rosenberg declined to go into details about those conversations, but did say, "I've debated this with him. Originally, he disagreed with me. But nothing on our private conversation provided me with evidence to the contrary."
Rosenberg's hands-on experience with Carrier IQ seems to be the most detailed yet on public view. And it lines up with reservations or criticisms levied against Eckhart's interpretation of Carrier IQ as a keylogger that's sending SMS message contents and other information back to the mobile carriers.