Update December 13: Carrier IQ issued an updated statement, new concerns for an endless saga…
I am proud to post here the first known detection in Italy of the infamous Carrier IQ software!
As you will probably know, everything started on Nov. 28, on the other side of the Atlantic, when Trevor Eckhart, an Android developer posted a video on YouTube showing the hidden software Carrier IQ interacting oddly with his mobile phone activity. Eckhart subsequently alleged his keystrokes and data were being collected without his permission.
Easily Predictable, speculation and accusations have immediately begun, concerning the kind of data collected by Carrier IQ and presumably transmitted to Wireless Mobile Operators: as a matter of fact subsequent investigations have shown that the Carrier IQ software is embedded on nearly every mobile phone and operator, at least in the U.S where concerns of consumer privacy led Massachusetts congressman Rep. Edward Markey to ask the Federal Trade Commission to investigate the company over concerns of consumer privacy.
But although many believed the software was logging keystrokes and collecting sensitive data, a subsequent more reasonable analysis carried on reversing the code, has shown a different scenario: the software “only” collects anonymized metrics data, although there are hooks inside the code to events such as keystrokes, possibly suggesting the implementation of this kind of functionality for future versions. Essentially the analysis confirmed the content of a statement by the company which attempted to clarify how information was being collected:
We measure and summarize performance of the device to assist Operators in delivering better service.
While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.
Nevertheless, since the clarifications did not mitigate the fact that Carrier IQ is s a potential risk to user privacy, and users may not choose to to disable it, As a consequence a bunch of Class Actions lawsuits have been filed against the main handset manufacturers and carriers including, besides the obvious Carrier IQ, AT&T, Sprint Nextel, T-Mobile USA, HTC, Apple, Samsung, and Motorola Mobility.
Of course European regulators could not remain indifferent, and started immediately to investigate Carrier IQ. Germany’s Bavarian State Authority for Data Protection was the first to contact Apple, which publicly declared to have included Carrier IQ in earlier version of iOS, with support ceased with iOS 5 and completely removed for previous versions in future software updates. The German Example has immediately been followed not only by other regulators in the U.K., France, Ireland and Italy, but also from organizations like BEUC, the European Consumers’ Organisation that defend the users’ right to be told how their data is used.
I was wondering if Europe’s concerns were exaggerated (since so far the scandal seemed to be contained in the U.S.) until a friend of mine decided to test one of the available Carrier IQ detection tools on his Samsung Galaxy Tab, which was purchased from 3, an Italian Mobile Operator belonging to the H3G Giant.
Of course the results are shown above: the tool detected the Carrier IQ software in an inactive state. The bad thing is that, although apparently inactive, my friend told me he was not able to remove the software following the different procedures available on the web even if he did not spend so much time in its removal. So far I can only show the screenshot but he told me he will give me his device for a deep analaysis (with caution since it is his work device).
Thinking at this strange encounter, I admit I could not help but think to Samsung’s official statement concerning Carrier IQ (and reported by Engadget):
Some Samsung mobile phones do include Carrier IQ, but it’s very important to note that it’s up to the carrier to request that Samsung include that software on devices. One other important point is that Samsung does not receive any consumer user information from the phones that are equipped with Carrier IQ.
Since it is up to the carrier to request the software to be included on Samsung devices, I presume that 3 could have decided to install it on all the devices for the Italian Market. I tested the tool on My HTC Desire and Sensation XE (both belonging to Telecom Italia Mobile) with no result.
Francesco Pizzetti, Italy’s Protection of Personal Data Guarantor will have a lot to do… meanwhile he opened an investigation into how Carrier IQ works and is checking Italian mobile phones to verify where the software is in use.
Mobile devices are more and more becoming inseparable companions for our personal and professional life, and deadly enemies for our privacy…
- European regulators start investigating Carrier IQ (macworld.com)
- Carrier IQ: What You Should Know (mylookout.com)
- European Regulators Start Investigating Carrier IQ (pcworld.com)
- 859,827 hits since November 2010
08/13/2011 - My Post on Android Malware Mentioned on Engadget.
04/14/2011 - The Article Smart Grid: L'ultima Frontiera del Cybercrime published on ICT Security Magazine May 2011.
03/14/2011 - Security Summit 2011: Paolo Passeri guest at Round Table "Mobile Security: Rischi, Tecnologie, Mercato"
02/14/2011 - The Article Gears of Cyberwar published on ICT Security Magazine January 2011.
About This Blog
In this blog I express my personal opinion, which does not necessarily reflects the opinion of my organization, about events and news or interest, concerning information security, winking to mobile world and, why not, to some curious personal event.
Every information is reported with its source.
Anyone intending to use information contained in my post is free to do so, provided that mention my blog in your article.
Top Posts & Pages
- List Of Hacked Celebrities Who Had (Nude) Photos Leaked
- 2014 Cyber Attacks Timeline Master Index
- 16-31 June 2014 Cyber Attacks Timeline
- 1-15 July 2014 Cyber Attacks Timeline
- 2013 Cyber Attacks Statistics
- 2012 Cyber Attacks Statistics
- A (Graphical) World of Botnets and Cyber Attacks
- 2012 Cyber Attacks Timeline Master Index
- 1-15 June 2014 Cyber Attacks Timeline
- 2013 Cyber Attacks Timeline Master Index
- Yet another amazing blog post by @LastlineLabs: Exploit Analysis via Process Snapshotting: labs.lastline.com/exploit-analys… - 1 hour ago
- Ready to take off... Flying to Santa Barbara to meet my colleagues of @LastlineLabs - 1 day ago
- P.F. Chang's incident calls for updating payments tech lnkd.in/dQpjRE8 - 5 days ago
- @artbyalida @thepacketrat he did the same one week ago for CNET… - 6 days ago
- WSJ website hacked, data offered for 1 bitcoin -> Here's a cyber attack that will be included in the next timeline: arstechnica.com/security/2014/… - 6 days ago
- @HP TippingPoint and @lastlineinc team up to offer advanced network protection h30499.www3.hp.com/t5/HP-Security… - 6 days ago
- Without a good Italian espresso it's impossible to build cutting-edge technology! http://t.co/GZTZFXktsc - 6 days ago
- @lastlineinc recognized by CRN as a 2014 Emerging Vendor | Business Wire businesswire.com/news/home/2014… - 1 week ago
- 1-15 July 2014 Cyber Attacks Timeline #Infosec #Cyberattacks wp.me/p14J6X-2D9 - 1 week ago
- @ckreibich same test worked with an @A10Networks SSL inspector: malicious files downloaded through an https connection perfectly detected! - 1 week ago