Carrier IQ points at manufacturers for insecure logs

Carrier IQ, whose software is accused of being a "rootkit" by developer Trevor Eckhart, has pointed at manufacturers of phones as the party responsible for the security failings of its software. Carrier IQ's first response had been to serve a cease and desist order on Eckhart, an order which it later withdrew after the Electronic Frontier Foundation became involved. Eckhart then released a video which went into further detail showing HTC Android smartphones apparently reporting keystrokes, SMS messages and browser URLs.

Trevor Eckhart demonstrates Carrier IQ activity on an HTC phone

During his investigations, Eckhart found a plain text log file which was readable by other applications. In an interview with The Verge, Carrier IQ's Vice President of Marketing, Andrew Coward, said that the log file Eckhart found was not one generated by their software and was actually generated by code from the manufacturer of the phone. Eckhart was testing an HTC phone, so although Carrier IQ does not name a manufacturer, it seems likely that the log file in question came from HTC modifications. Coward is said to have claimed that the Carrier IQ software does have a log file of its own, but that it is maintained in a particular section of memory and not stored in plain text.

The log file issue does not, though, address other concerns. The Carrier IQ software does listen for keystrokes and SMS messages, but Carrier IQ have stated that it does not log, store or transmit that data. It says it listens to the dialler's keystrokes for short codes so that it can execute system commands and listens for specific commands sent as SMS messages from the carrier such as a message to "phone home" to deliver its gathered metrics. The company insists that its software discards any information that is not specifically addressed to it.

Some insight into how widespread Carrier IQ was came from University of Cambridge's Device Analyzer project which gathers information from 5572 Android smartphones around the world. On searching for Carrier IQ software on those handsets it found that only 21 devices were running the software. All 21 were based in the US or Puerto Rico and were on AT&T, Boost Mobile or Sprint. They found no evidence of Carrier IQ software being used in other countries but given their small sample could not exclude the possibility; they invited users to join their global research by installing the Device Analyzer app.

Phones that are known not to have Carrier IQ include Google's own Nexus One, Nexus S and Galaxy Nexus. A variant of Carrier IQ was found on iPhones, but is off by default, can only be activated by turning diagnostics on, and allowed users to see all the diagnostic information it was sending. Apple says it will be removing all traces of Carrier IQ in a future release of iOS. Nokia and RIM have both denied shipping any phones which include the Carrier IQ software. Most UK carriers have also gone on record denying they use Carrier IQ's software.

Users of Android phones who want to know if Carrier IQ's software is on their devices can now download Voodoo Carrier IQ detector which attempts to work out whether Carrier IQ is running and active on an Android phone. The software is still in development but can generally provide a useful indication of the presence of the software. Currently there is no way to disable the software without rooting the phone or replacing the ROM with a custom ROM such as CyanogenMod; the CyanogenMod developers have explicitly stated that their modified ROMs do not contain Carrier IQ software.

(djwm)