Carrier IQ verbatim: Answers from company exec, researchers
Contrary to preliminary reports, Carrier IQ's software doesn't actually appear to be a "rootkit keylogger." CNET talks to an executive at the company about what the software actually does.
It's been a tumultuous few weeks for Carrier IQ, the Mountain View, Calif.-based startup at the center of an Internet-wide privacy flap over what its software, which carriers place on mobile phones, actually does.
By now it seems abundantly clear that, contrary to earlier reports, the Carrier IQ technology is
But the company has not yet published technical details on how its software works--it says more information will be forthcoming soon--so CNET readers and others have continued to raise questions. In addition, carriers canCarrier IQ's software to record and transmit the URLs of Web pages visited, a privacy concern separate from keylogging.
Below are some verbatim statements--from Carrier IQ, security researchers, and other parties--that might provide some answers. Also see CNET'sand , including an .
Andrew Coward, vice president, marketing, Carrier IQ
On a CNN.com article quoting him as saying he was "surprised" by data logging: "I think my comments were misconstrued. I said that there is an Android system debug log in the phone (not related to CIQ) which generates log messages of what is happening in the device, and it was this information that the security consultants were able to view. FYI this debug-log viewer is called logcat."
On being quoted in a Wired.com article as saying "probably yes" when asked whether Carrier IQ's software could read text messages: "That was a misquote. It was in reference to the phone number associated with the SMS message, not the contents of the message."
On what carriers see: "They're not going to see the contents. They're not going to see what you type. They're not going to see the contents of your SMS messages. They're not going to see what's on your screen."
On being able to record running apps, visited URLs: "That relates really to understanding what applications are on the device and application usage. If you're having problems with the applications, we'll see all of that. Next to that in terms of sensitivity would be understanding what URLs your device is going to. We see that information too. Whether a service provider actually uses that information (is up to them)."
On remotely changing phone settings: "That profile obviously gets changed dynamically. What they do and can do is step up activity. Let's say they see a lot of dropped calls in one area. They might say, 'I need to turn on another 10,000 phones...to step up the amount of information that's coming in.'"
On deciding not to reveal technical specifications: "We have competitors, potentially, and there's a great hacking community out there, as we've discovered. Source code published for everybody to see probably isn't the best outcome for us."
On encrypting customer data: "When the information is transmitted, it's encrypted. I don't want to talk about what we do with the data on the device."
On real-time data collection: "If the consumer dials a special short code (during a support call), the device will upload the latest diagnostic information."
On being theoretically able to record all keystrokes because the software is running with root access: "We know our (software) doesn't do that. We strongly stand by that and hope to have proof as soon as possible."
Becky Bace, security specialist given access to Carrier IQ's systems
On what the Carrier IQ technology does: "Though I've not had time to do a deep dive into code, I've reviewed the system design (with focus on the monitoring pieces in particular) and asked some pretty damned hard questions of the tech principals about the particulars regarding the monitoring/data capture and forward mechanisms--I'm comfortable that the designers and implementers expended a great deal of discipline in focusing on the espoused goals of the software (i.e., to serve as a diagnostic aid for assuring quality of service/experience for mobile carriers)."
On financial ties: "I've no financial relationship with the firm--it falls outside the information security and risk management functions that have defined my investment activities of the past. I have known the CEO of the firm for a while (our paths originally crossed when he was a CEO of one of the firms in which Trident invested a decade ago), but again, there has been no financial relationship between us, and when he called me for advice, the situation honked me off badly enough that I volunteered to help."
Dan Rosenberg, security researcher, Linux kernel hacker
"Based on my own research on CarrierIQ, the application does not record and transmit keystroke data back to carriers. The video depicts keystroke events being recorded to a temporary buffer that is not written to disk or sent back to carriers. These keystrokes are inspected in order to check for special sequences used for technical support and have nothing to do with the information that's being gathered by the application."
"In terms of how I conducted my research, I copied the application off of several Android devices that use it, and analyzed the assembly code using a disassembler to determine how it works under the hood."
On releasing the results of his work: "Redistributing the reverse-engineered internals of commercial software for purposes other than interoperability would most likely be a DMCA violation. Plus, it's not especially interesting for the purposes of this discussion, since the most important thing isn't the code that's there but the code that isn't there (namely, there's no code that records keystrokes)."
Jon Oberheide, co-founder of Duo Security, exploit creator, code auditor
"I definitely wouldn't use the term 'keylogger' to refer to Carrier IQ. It processes some input events (hardware buttons, etc), but it doesn't meet the functionality and intent of a keylogger."
"I agree with Carrier IQ's statement that it's really the carrier's policy on collecting URLs and other data. There's certainly privacy concerns and sensitive data that could be leaked through the URLs. Carrier IQ seems to be receiving the blame in this scenario, while it's really the carriers that should be answering the questions and claims here (which they've started to)."
"Most malware will just root your phone and have full access to all your activity regardless. Funny how people freak out about Carrier IQ, when malware can do the same thing but easier, more stealthily, and with obviously malicious intent."
"Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc. using this tool. The information collected is not sold, and we don't provide a direct feed of this data to anyone outside of Sprint."
"We stopped supporting CarrierIQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages, or any other personal information for diagnostic data and have no plans to ever do so."
CNET's Elinor Mills contributed to this report