December 3, 2011

How Carrier IQ was wrongly accused of keylogging

In just a few days, a startup company named Carrier IQ has been subjected to extraordinary public vilification, with reports accusing it of making a "rootkit keylogger" that "creeps out everyone" or is the "rootkit of all evil."
The only problem, which is always a risk when a public lynching takes place, is that Carrier IQ appears to be not guilty of the charges lodged against it.
The most serious charge against Carrier IQ, a venture capital-funded startup in Mountain View, Calif. that makes diagnostic software for carriers, has been that it records keystrokes and transmits them to carriers. One article on a Mac Web site breathlessly reported that "Carrier IQ Probably Violated Federal Wiretap Laws In Millions Of Cases."
Well, no. There's zero evidence that Carrier IQ captured, recorded, or transmitted any keystrokes. But that didn't stop the self-appointed lynch mob on blogs and on Twitter (#OccupyCarriers, that would be you).
Dan Rosenberg, an exceptionally talented security consultant who has discovered over 100 vulnerabilities in the Linux kernel, FreeBSD, and GNU utilities, extracted a copy of Carrier IQ's software from his own Android phones. He then analyzed the assembly language code with a debugger that allowed him to look under the hood.
"The application does not record and transmit keystroke data back to carriers," Rosenberg told CNET. His reverse-engineering showed that "there is no code in Carrier IQ that actually records keystrokes for data collection purposes."
Carrier IQ has given Rebecca Bace, a well-known security expert who's advised startups including Tripwire and Qualys, access to the company's engineers and internal documents. (Bace says she has no financial relationship with Carrier IQ.)
Bace told CNET that: "I'm comfortable that the designers and implementers expended a great deal of discipline in focusing on the espoused goals of the software -- to serve as a diagnostic aid for assuring quality of service and experience for mobile carriers."
Andrew Coward, Carrier IQ's vice president for marketing, acknowledged last night that the company may not have taken the best approach in responding to public criticism, which started with a blog post by Trevor Eckhart, a 25-year old system administrator in Connecticut who noticed unusual software on HTC EVO devices. He dubbed it a rootkit, leading to legal threats from Carrier IQ, an intervention by the Electronic Frontier Foundation, and an embarrassing bit of backtracking a few days later.
Threatening to sue a security researcher, even a newly-minted one, isn't exactly the way to make friends nowadays -- especially after the last decade has seen a parade of ill-received threats from Cisco, HP, voting machine makers, and the Recording Industry Association of America.
That legal threat, not unreasonably, led critics to assume the worst. "That's really been part of our challenge in responding to the allegations," Coward told CNET. The company decided it needed to be more forthcoming after "going back and saying, 'No, we don't, no we don't,' which is where we started, didn't really work." (The company also released a public statement yesterday.)
There's now a "vast misunderstanding of what we do," Coward says.
That Carrier IQ is innocent of the keylogging accusation, the most serious charge, does not, however, mean there are no privacy concerns.
Coward acknowledged that the company's software, which is designed to be installed by carriers, can report back what applications are being used and what URLs are visited. Carrier IQ doesn't make these decisions; rather, they sell configurable software and the carriers decide what options to enable.
"It's up to them whether they do or don't collect that information," Coward says.
The information is used to summarize how the device is working so carriers can improve their networks, he says. It also helps them when they're forced to field calls from outraged customers wondering why their handset keeps crashing or runs out of battery life in a few hours.
Typically the data dump to a carrier is configured to be sent daily, either over Wi-Fi or the carrier's networks, Coward said. "The device ends up storing about 200 kilobytes of data," he says. "That's typical upload size. When it gets to the point that it's full, it'll do an upload or it'll drop data and start wrapping and store summary information." (Customers aren't charged for the upload, and it's disabled when the phone is roaming.)
It's true that carriers already know what URLs you're visiting when you use their network -- meaning that, in a way, Carrier IQ can be configured to send them data they already have. Privacy concerns arise when a list of URLs is stored on the device and accessible to forensic analysis, or when a list of URLs visited on a Wi-Fi network is transmitted. (Remember, Apple's log of locations accessible to forensic analysis landed it in hot water earlier this year.)
In this case, the software can be configured to send data directly to the carriers or to Carrier IQ's data center. "The data is not controlled by us, regardless of which model is used," Coward says. "We have no rights to the data. We cannot sell it, lease it, rent it, share it. The operators are extremely strict about that, as you might expect."

No comments:

Post a Comment

Designed By Seo Blogger Templates