Risk
3/1/2012
11:04 AM
Fritz Nelson
Fritz Nelson
Commentary
Connect Directly
LinkedIn
Twitter
Facebook
Google+
RSS
E-Mail
50%
50%

Carrier IQ Fights Back With Consumer Dashboard

Carrier IQ, attacked last year for monitoring cell phone user data, says it can help consumers gauge wireless phone performance--if carriers implement the app.

Carrier IQ Dashboard
(click image for larger view)
Carrier IQ Dashboard
Carrier IQ, the infamous company whose tracking software was derided as a rootkit capable of exposing user action and data, is back in the news. But this time it is proposing to give consumers their own data through a consumer dashboard, the company announced at Mobile World Congress this week in Barcelona.

Carrier IQ was once just an obscure company, working behind the scenes, its software installed on some 140 million phones and capable of tracking phone usage, mostly to provide mobile carriers with data critical to the operation of their networks. The software can detect dropped calls, signal strength, network utilization, and phone performance, as well as things like battery life and application performance--basically how the devices were performing on the network, and the gap between consumer perception and carrier perception.

The software was used by Sprint and AT&T, across multiple device types, and is now also used by T-Mobile and Cricket, said Andrew Coward, Carrier IQ's VP of Marketing and Product Management. While it might seem as if the carriers already have access to their network performance, they don't necessarily have it from the device's point of view. In fact, customer care agents, when helping customers, need to see what the user sees (for example, where the user was when a call was dropped). Naturally all of this data became important to the handset manufacturers as well, creating an entire ecosystem of parties interested in this data.

But then along came security researcher Trevor Eckhart's discoveries about how that data was being exposed, and the potential for privacy abuse. Specifically Eckhart saw that Carrier IQ's software was tracking all of the HTTP and HTTPS traffic from his HTC phone, in addition to phone numbers and the contents of incoming and outgoing SMS messages. Questions arose concerning whether this violated federal wiretap laws, and Carrier IQ allegedly threatened Eckhart for exposing information. Eckhart and others created some demonstration videos showing users how to disable Carrier IQ. Sprint even pulled Carrier IQ software from its devices.

Carrier IQ claims that the information Eckhart found wasn't really the company's fault; the mistake was in how the operators were deploying the tool. Since then, the company has issued a white paper, detailing how its technology works, and it has detailed the data it collects, in addition to allowing third-party inspection of its software and data, according to Coward.

In a way, then, it makes sense that Carrier IQ is trying to extend its tools to consumers--as if to say, we have nothing to hide, and in fact we're here to help. Carrier IQ announced a consumer dashboard of data, but it's really an API that allows mobile operators to create ways to expose the data to customers; a way to extend the carrier platform, IQ Care, to their customers.

[ See our complete Mobile World Congress 2012 coverage, live from the mobile industry's hottest event. ]

Coward said that it would be in the interest of these mobile operators, simply because it could help lower support costs, especially as customers now call their provider for help in solving phone issues, not just network problems. For example, about half of the phones that customers return to mobile operators have nothing wrong with them, and the process of having phones returned, troubleshooting the problems, and issuing new phones can be costly.

"The cost of support is so astronomically high that [the mobile operators] want customers to self help," Coward said. The operators want to "provide enough information such that consumers don't have to call them."

The Carrier IQ tool collects a huge volume of data, but its magic, Coward said, is in analyzing the data, which is where the company spends most of its resources. Every piece of data gets a traffic light-like rating (red, green, yelllow) for every aspect of performance--voice experience, data experience, battery life, application failure, all from the device point of view. If there's a battery life issue, the software can be used to determine if it's really the battery life or it's really an application that is draining the battery. All of this information is fairly simple to dive into and understand.

Another important aspect of the software is what Coward called a "dynamic normal." That is, all data is viewed through the lens of what's normal, or what's happening to others (within a network, with similar hardware, and so on). That version of normal changes over time, but the specific users' performance is compared back to this "dynamic normal."

While all of this seems especially enticing, and Carrier IQ should be applauded for being willing to expose its data, it will be up to the operators to make that happen, and doing so could be a double-edged sword. Forget whether users will really use such a tool (which is questionable), but imagine if the operator is experiencing dramatic delays or dropped calls and that information is getting exposed to the consumer … they'll have plenty to answer for.

Which is, perhaps, as it should be.

The Enterprise Connect conference program covers the full range of platforms, services, and applications that comprise modern communications and collaboration systems. It happens March 26-29 in Orlando, Fla. Find out more.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
llocat333
50%
50%
llocat333,
User Rank: Apprentice
3/2/2012 | 7:30:05 PM
re: Carrier IQ Fights Back With Consumer Dashboard
There are quite enough government agencies "tracking" cell phones. The "data" these people are 'collecting' belongs to the cell phone user.....Awwww, don't give me that crap about names are not used in the reporting to the carriers, because I don't even want them collecting such information, bbb-u-t, its their pipe and they have "legal" requirements to collect such data for "law enforcement".

Why anyone thinks this company has a platform worth money is ridiculous. As was mentioned in the article; the carriers already have the ability to perform this work(without the expense and exposure to their customers of 'another' third party).

-2- THUMBS DOWN!
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.