Most of us use smartphones for more than we realize. They are the center of our social lives, our direct communication tool for friends and family, and increasingly the tool for entertainment on-the-go. For many people, it’s the first thing that you see when you wake up and the last thing you see when you go to bed. A significant amount of information about you passes through those little plastic, glass, and silicon boxes. A constant concern for the security-conscious among us is, “How secure is the information we share with our smartphones?”
Security researcher Trevor Eckhart has had something of a recent history making people aware of mobile phone vulnerabilities. Eckhart’s recent discovery of the HTC vulnerability that allowed for a potentially malicious app to hop on your mobile data connection and grab network information, possibly even ruin your 4G connection, gave the company cause to stop and fix some of their bugs. Now, Trevor points his talents at a more significant threat to personal information.
What is CarrierIQ?
There was a need in the mobile phone space to make emergency information and basic usage statistics available through a means that allowed multiple organizations to access the information. This includes E911 v2 style information, data that would make it easier for law enforcement to track a phone if a dangerous criminal was on the loose. The spirit of cooperative access and a desire to better the user experience gave birth to CarrierIQ. This company provides a service that, by means of software that carriers and OEMs can use, allows information to be gathered from the phone and presented in a web portal for easy access by organizations who need the information. All in all, a mostly harmless attempt to make certain aspects of the mobile phone experience better.
CarrierIQ offers a test application and APIs to anyone who pays for them to put this functionality inside their handset before pushing a phone to market. From that point, the organization which has paid for this software can now implement the software as it sees fit. The companies now have the ability to write the API’s into the OS they are working with, where the data is collected and sent to the portal for easy access. The information is transmitted to the portal via HTTPS, so the information is fairly secure while traveling from your phone to the portal.
CarrierIQ was named one of Fierce Wireless Fierce 15 in 2008 for their work in helping operators and handset makers “see what is going on between their end user and the device between the device and the network.” CarrierIQ explains their business on their About page as a company that has “revolutionized the way mobile operators and device vendors gather and manage information from end users.”
Who is currently using CarrierIQ?
When CarrierIQ was dubbed one of the Fierce 15, they were working with seven of the top ten major OEM’s, as well as Verizon Wireless, AT&T, and Sprint. Currently, Trevor has found CarrierIQ in a number of Sprint phones, including HTC and Samsung Android devices. CarrierIQ is confirmed to be found on the iPhone or on feature phones, but Trevor has found RIM’s Blackberry handsets and several Nokia devices with CarrierIQ on board as well. CarrierIQ can be seen on your Android handset by installing an app from the Market called AnyCut. From here you will notice IQRD and IQAgent, which are both parts of the CarrierIQ system on the device.
While no carrier has it documented anywhere publicly that they work with CarrierIQ, Verizon Wireless has documentation on their recently added“Important notice about how Verizon Wireless uses information” that describes their intent to use address of websites you’ve been to on their mobile network, the location of your device, and “app and device feature usage”. Verizon states that they intend to use this information to deliver more relevant ads to you, as well as sell the information to other companies who want to make business and marketing reports. Verizon notes that the information they share doesn’t identify you personally. Verizon also provides you with the ability to opt-out of this experience.
As far as I can tell, Verizon Wireless is the only company who has information like this posted, and they are certainly the only company using CarrierIQ that seems to offer the ability to opt-out of the data collection and use. Trevor has created an app called the Android Security Test, that will help you determine whether or not you have been opted in to this service.
How is CarrierIQ being used on your phone?
So far, Eckhart has been able to locate and handful of points that the CarrierIQ software on these phone records information. These are intents that, when activated, the information is logged and sent to the company who is interested in this information, be they OEM or carrier. The available information tells us that CarrierIQ is capable of recording:
- Key in HTCDialer Pressed or Hardware Keys: Intent – com.htc.android.iqagent.action.ui01
- App Opened : Intent – com.htc.android.iqagent.action.ui15
- Sms Received : Intent – com.htc.android.iqagent.action.smsnotify
- Screen Off/On : Intent – com.htc.android.iqagent.action.ui02
- Call Received : Intent – com.htc.android.iqagent.action.ui15
- Media Statistics : Intent – com.htc.android.iqagent.action.mp03
- Location Statistics : Intent – com.htc.android.iqagent.action.lc30
These are the intents that we are currently aware of. In fact, CarrierIQ owns a patent that gives them the ability to query just about anything. The patent specifically notes “any user entering data into a browser” as one of the possible functions. If you have a phone with a physical keyboard, the Hardware Keys intent seems to suggest that everything you type could in fact be logged and sent away for analysis.
Right now, it is difficult to see just how many phones have a variant of CarrierIQ on them, or how they are being used. Test applications have been found for Blackberry, specifically the 9530, and the Nokia n97-1 and Series 60 devices as well, though those phones are a little more difficult to go browsing around to see how the apps are being used. Nowhere on any of these devices are you, the user, shown or given control over what information is being collected, nor do you have the ability to opt-out anywhere.
What is shown in the “portal”?
Once the information is connected on your phone, it is shipped away via HTTPS to the CarrierIQ web portal. From here, information can be accessed piece by piece, allowing whoever is using the service to observe the data that was recorded. Eckhart sent us an image of a custom Google Maps overlay with information that maintains the call log of any given device (see above). Here you can see the duration of a call alongside its location and radio measurements to help a carrier see what might have happened if a call dropped.
In another part of the CarrierIQ portal found in a heavily notated PDF used for training that Eckhart uncovered, you can see where individual types of information can be requested. “SMS_PullRequest” is an example shown in the PDF as well as “ArchiveFull”. Your information is sorted by Equipment ID and Subscriber ID in most places in the portal.
The obvious question that gets asked next is “Who sees this information?” Employees of the companies that pay for Carrier IQ, sure, but how much further does that go? Cooperation with law enforcement? When the information is packaged up and sold to the highest bidder, how much of this information do they see? There is no accountability for this data anywhere. It is recorded, transmitted, and it exists with CarrierIQ. The information shown in these images are for Sprint’s portal, so each of the carriers have their own web portal with their own logins, but we as consumers have no idea who has access to this information.
Can CarrierIQ be removed?
CarrierIQ provides all of their customers with a test application and the API’s to make adjustments as they see fit. The test application seems to be essentially a bug report system. If your phone crashes or if you drop a call, for example. You use the “Device Health” application to file a report. Interestingly enough, not once have we seen this user controllable interface anywhere in Android. What has been found however, is CarrierIQ API’s embedded at the core of the Android Operating System. This is not an application that you can simply remove, but a series of elements that are tied into the Android Kernel for that device. For example, a system dump of an HTC device would reveal files like these:
- /system/app/HTCIQAgent.apk – IQ agent app.
- /system/app/IQRD.apk – IQ agent app.
- /system/bin/htcipcd – HTC IPC server.
- /system/bin/iqfd – CIQ frontend daemon.
- /system/bin/iqd – CIQ backend daemon.
- /system/lib/libciq_client.so – ciq client lib
- /system/lib/libciq_htc.so – ciq lib
- /system/lib/libhtciqagent.so – ciq agent lib
- /system/etc/iqprofile.pro – has a url for https://collector.iota.spcsdns.net:10003/collector/c
Many Android ROM developers, such as the Cyanogenmod team, will not have these issues, as their builds come from modifying the completely open source version of Android directly. Some Android developers have noticed, and they are not happy. Many other ROM developers on services like XDA-Developers are now releasing ROMs that are labeled “NoCIQ” to identify that the CarrierIQ software has been removed from the kernel entirely. At the moment, that seems to be the only way to opt out of the CarrierIQ service.
Why is the ability to opt-out so important?
There is some information that is necessary to have quick access to, and I understand that. The E911 system that we use in the US is dependent on basic location information to route an emergency call to the correct region so those services can arrive in a timely manner. I can even understand the desire from a carrier’s perspective to want to know when calls are dropped, SMS need to be sent or received more than once due to failure, and other relevant information that could make it easier to better their services. Collecting information for the betterment of their service is not a bad thing. The problem comes when a user is not properly informed, or if they aren’t customers at all.
It’s not an uncommon thing for an app developer to have a device that they use just for development. It’s not attached to a service, it’s usually purchased second or third hand, and it will never be used to make phone calls or use a carrier based service. Put simply, a device that is not attached to a contract in Airplane mode has no business dialing in to Sprint with usage information. This person isn’t paying Sprint for anything. No contracts have been signed. Even if the phone wasn’t purchased secondhand, but purchased outright, the same would be true. These devices would still be recording information and submitting it over WiFi to whoever was asking for it, because there is no way to opt-out.
What do the companies have to say?
The information we’ve sifted through with Eckhart reveals a potentially significant volume of data being collected. There is not a lot of information provided by these companies as to what the information is used for, who has access to the information, and why there seems to be no way to opt-out of it in many cases. We reached out to CarrierIQ, HTC, and Sprint to see what the official answer is on these topics.
Mira Woods, an employee focused on Marketing Communications at CarrierIQ commented that once their customers receive the metrics they have asked to have recorded, “how our customers consume the data is then a function of their business need and the continuing obligations they have to their customer base”. Essentially, CarrierIQ offers a product, establishes a series of metrics that their customer wants to have recorded, and what they do with that information is the company’s own business.
Woods was very clear to make sure it was understood that “while we are looking at many aspects of the device, the type of information we actually gather is based on counting and delivering performance metrics, not capturing user data. For example, we are interested in the success/failure rates of SMS traffic, not the content of these messages.”. The fact that this software is baked into the operating system, incredibly difficult for most consumers to locate, and impossible to shut off or remove, is something that CarrierIQ assumes is covered by the privacy policy of their customer.
HTC is the author of the CarrierIQ software on their devices. Most of the CarrierIQ hooks in HTC devices are named things like “HTCIQAgent.apk”, and the applications are digitally signed by HTC. However, when asked to provide some additional information as to the function of these services, HTC was unwilling to provide any feedback. A spokesperson from HTC’s PR firm commented that “At this time we aren’t going to be able to speak to carrierIQ’s. These questions would be more appropriately addressed by the specific mobile operators.” Unfortunately Sprint, Verizon, and AT&T aren’t the companies that wrote the applications that are recording the information.
In the case of HTC devices, HTC is taking the CarrierIQ APIs and writing their own tailor-made logging software to provide information to the carriers. What does HTC get for this? Do they have access to the information as well? HTC was unwilling to comment.
It seems like everyone in this situation is pointing fingers at the carriers. So, we asked Jason Gertzen of Sprint Corporate Communications for answers. Gertzen assured me that Sprint was unable to look at the contents of messages, photos, or videos using the CarrierIQ tools. He also noted that the information that is collected is not sold, and that no one but Sprint has access to a direct feed of the data they collect. Gertzen was unwilling to comment as to why Sprint was unwilling to provide an opt-out for the service, stating only that Sprint relies on CarrierIQ to help maintain network performance.
Sprint does have it documented in their privacy policy that they “Monitor, evaluate or improve our Services, systems, or networks” and they “Anonymize or aggregate personal information for various purposes like market analysis or traffic flow analysis and reporting”. However, they also mention that that if they use your information to deliver advertising “tailored to your interests”, they share that information with the companies who specialize in delivering that tailored experience. That still falls under data that is provided without a direct feed, but what about the discovery made by Christopher Soghoian back in 2009 that exposed Sprint’s electronic surveillance group that was responsible for cooperating with law enforcement without probable cause? Their job was specifically to use a web portal with these law enforcement officers to show location and other relevant bits of data.
Closing thoughts
Data is sent, stored, and used by these companies at every level of your user experience. The carriers, manufacturers, ad companies, law enforcement, all have access to this information. You do not have the ability to turn it off, and once they have the information they store it for as long as they determine it is relevant, which is likely forever.
As two of the largest producers of Android devices, the notion that HTC and Samsung (along with whoever else uses the service), takes information off of these devices without the user being aware and with no clear way to opt-out, then sends that information away for the carriers to use is troubling. One of the carriers has already admitted to selling the information they collect, and it’s not unlikely that the other carriers are doing the same. The information is not private in any way — associations with your hardware ID, subscriber ID, pages that clearly show phone numbers demonstrates that the people with access to this information know who the user is.
At the moment, the only people with Android phones who are able to escape CarrierIQ are users who are brave enough to root their phones and flash a ROM that does not have the CarrierIQ software integrated with the operating system, like CyanogenMod. Without an opt-out policy for most of the information that is collected, I don’t think it is likely many people who are made aware of how their data is being collected and stored will be happy with their manufacturers, their carriers, or even Google for allowing this to happen.
Additional information on this topic can be found at Trevor Eckhart’s site, Android Security Test.
Subscribe
Follow Us!
Be Our Fan
![Any.Do Is An Esthetic App To Create, Sync & Manage Your To-Do List [Android]](https://lh3.ggpht.com/-xqllcQrW4eA/TsHz8r0v9NI/AAAAAAAAEwc/UdURLd4ZWh0/Any.Do%252520Is%252520An%252520Esthetic%252520App%252520To%252520Create%25252C%252520Sync%252520%252526%252520Manage%252520Your%252520To-Do%252520List%252520%25255BAndroid%25255D%25255B1%25255D.jpg?imgmax=800 "Any.Do Is An Esthetic App To Create, Sync & Manage Your To-Do List [Android]")
