Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/1/2012
11:04 AM
Fritz Nelson
Fritz Nelson
Commentary
Connect Directly
Facebook
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Carrier IQ Fights Back With Consumer Dashboard

Carrier IQ, attacked last year for monitoring cell phone user data, says it can help consumers gauge wireless phone performance--if carriers implement the app.

Carrier IQ Dashboard
(click image for larger view)
Carrier IQ Dashboard
Carrier IQ, the infamous company whose tracking software was derided as a rootkit capable of exposing user action and data, is back in the news. But this time it is proposing to give consumers their own data through a consumer dashboard, the company announced at Mobile World Congress this week in Barcelona.

Carrier IQ was once just an obscure company, working behind the scenes, its software installed on some 140 million phones and capable of tracking phone usage, mostly to provide mobile carriers with data critical to the operation of their networks. The software can detect dropped calls, signal strength, network utilization, and phone performance, as well as things like battery life and application performance--basically how the devices were performing on the network, and the gap between consumer perception and carrier perception.

The software was used by Sprint and AT&T, across multiple device types, and is now also used by T-Mobile and Cricket, said Andrew Coward, Carrier IQ's VP of Marketing and Product Management. While it might seem as if the carriers already have access to their network performance, they don't necessarily have it from the device's point of view. In fact, customer care agents, when helping customers, need to see what the user sees (for example, where the user was when a call was dropped). Naturally all of this data became important to the handset manufacturers as well, creating an entire ecosystem of parties interested in this data.

But then along came security researcher Trevor Eckhart's discoveries about how that data was being exposed, and the potential for privacy abuse. Specifically Eckhart saw that Carrier IQ's software was tracking all of the HTTP and HTTPS traffic from his HTC phone, in addition to phone numbers and the contents of incoming and outgoing SMS messages. Questions arose concerning whether this violated federal wiretap laws, and Carrier IQ allegedly threatened Eckhart for exposing information. Eckhart and others created some demonstration videos showing users how to disable Carrier IQ. Sprint even pulled Carrier IQ software from its devices.

Carrier IQ claims that the information Eckhart found wasn't really the company's fault; the mistake was in how the operators were deploying the tool. Since then, the company has issued a white paper, detailing how its technology works, and it has detailed the data it collects, in addition to allowing third-party inspection of its software and data, according to Coward.

In a way, then, it makes sense that Carrier IQ is trying to extend its tools to consumers--as if to say, we have nothing to hide, and in fact we're here to help. Carrier IQ announced a consumer dashboard of data, but it's really an API that allows mobile operators to create ways to expose the data to customers; a way to extend the carrier platform, IQ Care, to their customers.

[ See our complete Mobile World Congress 2012 coverage, live from the mobile industry's hottest event. ]

Coward said that it would be in the interest of these mobile operators, simply because it could help lower support costs, especially as customers now call their provider for help in solving phone issues, not just network problems. For example, about half of the phones that customers return to mobile operators have nothing wrong with them, and the process of having phones returned, troubleshooting the problems, and issuing new phones can be costly.

"The cost of support is so astronomically high that [the mobile operators] want customers to self help," Coward said. The operators want to "provide enough information such that consumers don't have to call them."

The Carrier IQ tool collects a huge volume of data, but its magic, Coward said, is in analyzing the data, which is where the company spends most of its resources. Every piece of data gets a traffic light-like rating (red, green, yelllow) for every aspect of performance--voice experience, data experience, battery life, application failure, all from the device point of view. If there's a battery life issue, the software can be used to determine if it's really the battery life or it's really an application that is draining the battery. All of this information is fairly simple to dive into and understand.

Another important aspect of the software is what Coward called a "dynamic normal." That is, all data is viewed through the lens of what's normal, or what's happening to others (within a network, with similar hardware, and so on). That version of normal changes over time, but the specific users' performance is compared back to this "dynamic normal."

While all of this seems especially enticing, and Carrier IQ should be applauded for being willing to expose its data, it will be up to the operators to make that happen, and doing so could be a double-edged sword. Forget whether users will really use such a tool (which is questionable), but imagine if the operator is experiencing dramatic delays or dropped calls and that information is getting exposed to the consumer … they'll have plenty to answer for.

Which is, perhaps, as it should be.

The Enterprise Connect conference program covers the full range of platforms, services, and applications that comprise modern communications and collaboration systems. It happens March 26-29 in Orlando, Fla. Find out more.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
llocat333
50%
50%
llocat333,
User Rank: Apprentice
3/2/2012 | 7:30:05 PM
re: Carrier IQ Fights Back With Consumer Dashboard
There are quite enough government agencies "tracking" cell phones. The "data" these people are 'collecting' belongs to the cell phone user.....Awwww, don't give me that crap about names are not used in the reporting to the carriers, because I don't even want them collecting such information, bbb-u-t, its their pipe and they have "legal" requirements to collect such data for "law enforcement".

Why anyone thinks this company has a platform worth money is ridiculous. As was mentioned in the article; the carriers already have the ability to perform this work(without the expense and exposure to their customers of 'another' third party).

-2- THUMBS DOWN!
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.