You may be aware of the growing controversy surrounding Carrier IQ, a piece of software found pre-installed on Sprint phones that, according to developers who have investigated, is capable of detecting, recording, and transmitting various user actions and inputs. Among the data CIQ potentially has access to are location, SMS, apps, and key presses.
News of the software has been percolating for months on development forums, but when Trevor Eckhart recently summarized his findings, he found himself facing a cease and desist while Sprint vigorously denied the charges, saying “We do not and cannot look at the contents of messages, photos, videos, etc., using this tool.”
The C&D was quickly retracted, but Eckhart has now released a video that seems to give the lie to both Sprint and Carrier IQ’s assurances.
A step by step breakdown of the video, with code snippets, is available here.
A couple grains of salt are suggested. First, while Eckhart has no reason to falsify this information, it’s possible that this debug log is not entirely accurate for technical reasons, or that the conclusions are only applicable to this handset or software version. Secon:d, this log does not prove that any of this information is actually being transmitted to any third party.
However, the fact that CIQ is in fact seeing all this information means that it has access to it and could very easily record it and transmit it. Whether it has or hasn’t isn’t material, because Sprint and CIQ have both said that they can’t. In fact, CIQ claims their software
-Does not record your keystrokes.
-Does not provide tracking tools.
-Does not inspect or report on the content of your communications, such as the content of emails and SMSs.
-Does not provide real-time data reporting to any customer.
-Finally, we do not sell Carrier IQ data to third parties.
Note the careful use of the words “record,” “provide,” “inspect,” and “report.” It’s obvious from this video that the application has access to the information in question, and whether it records, provides, inspects, or reports it is simply a setting they can choose. The purposes for which CIQ says their software is installed — identifying trending problems in the fleet, for instance — don’t seem to me to require the level of access the software has granted itself. Add this to the fact that users are not informed at any step of the fact that their information is passing through “quality assurance” layer (sometimes before the user layer itself is aware of it), and their indignant denial begins to ring hollow.
Furthermore, as many developers have pointed out, the mere presence of the software is detrimental. Removing the software has reportedly improved performance and battery life. Furthermore, secure handshake information over wifi is passed through the software unencrypted, something that has little to do with carrier quality assurance. And if that information is cached even temporarily, that’s a security risk.
The presence and capabilities of this software, if it is indeed necessary, should be explained fully to users and the option given to safely opt out. As it is, Carrier IQ’s software appears to be overly invasive and potentially insecure. Hopefully Sprint will provide an adequate explanation soon; in the meantime, CIQ cannot be removed except by installing a custom ROM, so unless you’re prepared to do that, you’re out of luck.
News of the software has been percolating for months on development forums, but when Trevor Eckhart recently summarized his findings, he found himself facing a cease and desist while Sprint vigorously denied the charges, saying “We do not and cannot look at the contents of messages, photos, videos, etc., using this tool.”
The C&D was quickly retracted, but Eckhart has now released a video that seems to give the lie to both Sprint and Carrier IQ’s assurances.
A step by step breakdown of the video, with code snippets, is available here.
A couple grains of salt are suggested. First, while Eckhart has no reason to falsify this information, it’s possible that this debug log is not entirely accurate for technical reasons, or that the conclusions are only applicable to this handset or software version. Secon:d, this log does not prove that any of this information is actually being transmitted to any third party.
However, the fact that CIQ is in fact seeing all this information means that it has access to it and could very easily record it and transmit it. Whether it has or hasn’t isn’t material, because Sprint and CIQ have both said that they can’t. In fact, CIQ claims their software
-Does not record your keystrokes.
-Does not provide tracking tools.
-Does not inspect or report on the content of your communications, such as the content of emails and SMSs.
-Does not provide real-time data reporting to any customer.
-Finally, we do not sell Carrier IQ data to third parties.
Note the careful use of the words “record,” “provide,” “inspect,” and “report.” It’s obvious from this video that the application has access to the information in question, and whether it records, provides, inspects, or reports it is simply a setting they can choose. The purposes for which CIQ says their software is installed — identifying trending problems in the fleet, for instance — don’t seem to me to require the level of access the software has granted itself. Add this to the fact that users are not informed at any step of the fact that their information is passing through “quality assurance” layer (sometimes before the user layer itself is aware of it), and their indignant denial begins to ring hollow.
Furthermore, as many developers have pointed out, the mere presence of the software is detrimental. Removing the software has reportedly improved performance and battery life. Furthermore, secure handshake information over wifi is passed through the software unencrypted, something that has little to do with carrier quality assurance. And if that information is cached even temporarily, that’s a security risk.
The presence and capabilities of this software, if it is indeed necessary, should be explained fully to users and the option given to safely opt out. As it is, Carrier IQ’s software appears to be overly invasive and potentially insecure. Hopefully Sprint will provide an adequate explanation soon; in the meantime, CIQ cannot be removed except by installing a custom ROM, so unless you’re prepared to do that, you’re out of luck.
No comments:
Post a Comment