Risk
12/2/2011
12:04 PM
Connect Directly
RSS
E-Mail
50%
50%

Carrier IQ Denies Wiretap Claims

Smartphone network diagnostic software maker says it only collects data that carriers request. Is your phone affected?

Carrier IQ, a "mobile service intelligence" provider, has responded to ongoing questions about exactly what types of information its handset monitoring software records, and denied allegations that its software runs afoul of wiretapping regulations.

"Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions," according to a statement released by the company Thursday.

According to Carrier IQ, while its smartphone monitoring applications see smartphone data--to assess what is or isn't pertinent to monitoring the performance of the smartphone or the network that it uses--that isn't the same as recording or transmitting that data. "While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store, or transmit the contents of SMS messages, email, photographs, audio, or video," according to Carrier IQ. "For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen."

[ Carrier IQ is an insane breach of enterprise trust, says IT leader Jonathan Feldman. See what he says must change, in Carrier IQ: Mobile App Crap Must Stop. ]

Notably, federal wiretapping statutes provide exemptions for carriers and their business partners to monitor the performance of their infrastructure. Carrier IQ said that it "acts as an agent for the operators," to help make their customers' phones work better. "Our software allows operators to figure out why problems are occurring, why calls are dropped, and how to extend the life of the battery," it said.

Carrier IQ's Thursday statement includes a testimonial from security expert Rebecca Bace of Infidel, a former member of NSA's Information Security Research and Technology Group, as well as deputy security officer for Los Alamos National Laboratory. "Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of [a] mobile device user's content are erroneous," said Bace.

Carrier IQ's statement was released in response to growing questions about what data its software collects from handsets, and why. Suspicion had been mounting over the company's software after the Electronic Frontier Foundation disclosed a cease-and-desist letter that Carrier IQ had sent to 25-year-old Connecticut security researcher Trevor Eckhart last month--threatening at least $180,000 in copyright damages--after he published insights into how the company's software operates, and branded it as a rootkit. (Similarly, security researchers before him had labeled it as spyware).

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mlesnick100
50%
50%
mlesnick100,
User Rank: Apprentice
12/3/2011 | 11:55:00 PM
re: Carrier IQ Denies Wiretap Claims
Here's the BIG Question: Was NEWS CORPORATION a CUSTOMER of CARRIER IQ? If they were, there is your PHONE HACKING SCANDAL within the USA.

Also - lets read the statement:

"....our software does not record, store, or transmit the contents of SMS messages, email, photographs, audio, or video..."

Notice what they DID NOT say: http websites, HTTPS websites, usernames, passwords....

In other words...they failed to mention:
- your email location / username/password you access on the phone
- your bank account location / username/password you access on the phone
- your crm or salesforce username/password
- your corporate access

I can go on. Now with 121 million phones, this will affect:

Some Senators & Congressmen (and their staff)
White House Staff
Military Personnel
Law Enforcement Personnel
.... I can go on.

Phone manufacturers would be wise to distance themselves from Carrier IQ. So would the networks. Carrier IQ will be on their own come Monday and will be set for a live roasting by the government.
sanchanim
50%
50%
sanchanim,
User Rank: Apprentice
12/2/2011 | 11:25:13 PM
re: Carrier IQ Denies Wiretap Claims
Please note that these findings are from a young inexperienced person claiming to be a wireless security expert. None of his resume titles gives him any knowledge in the wireless space, and he also works for a company which competes in this space so don't be fooled!
Please see official company responses regarding these false claims.

All Things Digital Article

PC Mag Report

http://news.cnet.com/8301-3192...

Please also note Carrier IQ as based upon it reports works within the original end user agreement with it's-á carrier like AT&T or whomever. So no laws are being broken and and this report is baseless unless otherwise proven.

The person reporting this is by far not an expert and what he shows is not what is stored or transmitted according to the company.

He should get his facts straight before crying fire in a crowded theater.
sanchanim
50%
50%
sanchanim,
User Rank: Apprentice
12/2/2011 | 8:47:41 PM
re: Carrier IQ Denies Wiretap Claims
Please note that these findings are from a young inexperienced person claiming to be a wireless security expert. None of his resume titles gives him any knowledge in the wireless space, and he also works for a company which competes in this space so don't be fooled!
Please see official company responses regarding these false claims.

All Things Digital Article

PC Mag Report

http://news.cnet.com/8301-3192...

Please also note Carrier IQ as based upon it reports works within the original end user agreement with it's-á carrier like AT&T or whomever. So no laws are being broken and and this report is baseless unless otherwise proven.

The person reporting this is by far not an expert and what he shows is not what is stored or transmitted according to the company.

He should get his facts straight before crying fire in a crowded theater.
sanchanim
50%
50%
sanchanim,
User Rank: Apprentice
12/2/2011 | 7:04:54 PM
re: Carrier IQ Denies Wiretap Claims
Please note that these findings are from a young inexperienced person claiming to be a wireless security expert. He is an ITT graduate IE desktop support and got a few certs. And oh boy look out he is a boy scout!!! He is also employed by a known competitor in the same business space. Makes you wonder doesn't it! Carrier IQ has posted from actual security experts that Trevor's claims are in fact false. None of his resume titles gives him any knowledge in the wireless space, and he also works for a company which competes in this space so don't be fooled!
Please see official company responses regarding these false claims.

http://allthingsd.com/20111201...

http://www.pcmag.com/article2/...

Please also note Carrier IQ as based upon it reports works within the original end user agreement with it's carrier like AT&T or whomever. So no laws are being broken and and this report is baseless unless otherwise proven.
The person reporting this is by far not an expert and what he shows is not what is stored or transmitted according to the company.
He should get his facts straight before crying fire in a crowded theater.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.