Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Carrier IQ Vs. Wiretap Laws

Network diagnostic software maker Carrier IQ feels the heat after a researcher's video demonstrates how software captured his every keystroke. But is that illegal?

Diagnostic tools running on over 141 million handsets appear to record every keystroke made on the device. The software, which is made by Carrier IQ, is deployed by wireless carriers on their smartphones.

The ability of telecommunications carriers to assess the health of their network is enshrined in federal law, which even gives carriers the ability to listen in on phone calls to ensure that they go through. But what's less clear is this: Does a third-party service such as Carrier IQ, which provides diagnostic software hidden on smartphones, enjoy the same protections as telecommunications providers?

That's a relevant question since security researcher Trevor Eckhart released a video Monday detailing what he sees Carrier IQ software doing on his device--in this case, an HTC smartphone. In particular, he found that the Carrier IQ application saw all of the HTTP and HTTPS traffic from his browser, saw all phone numbers that he input before they were dialed, and also received the contents of all inbound and outbound SMS messages.

Based on that revelation, Carrier IQ may run afoul of federal wiretap regulations. "If the Carrier IQ/cellphone rootkit story is accurate, this is a clear, massive, felony wiretap. Not a close case," said Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School, via Twitter. "Carrier IQ, prepare for a multi-million $ class action lawsuit. Maybe a criminal case too? Federal wiretapping is a 5-year felony," he tweeted.

Ohm told Forbes.com. "Even if they were collecting only anonymized usage metrics, it doesn't mean they didn't break the law," said Ohm. "Then it becomes a hard, open question. And hard open questions take hundreds of thousands of dollars to make go away."

[Carrier IQ is an insane breach of enterprise trust, says IT leader Jonathan Feldman. See what he says must change, in Carrier IQ: Mobile App Crap Must Stop. ]

Interestingly, Carrier IQ has issued multiple statements saying that its software doesn't track keystrokes. "Carrier IQ would like to clarify some recent press on how our product is used and the information that is gathered from smartphones and mobile devices," it said in a statement issued Nov. 16. "Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment. While we look at many aspects of a device's performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools," it said.

Carrier IQ's statement came in response to Eckhart suggesting otherwise in a written report that he released in November, which said that Carrier IQ's software was recording his keystrokes. In response, Carrier IQ sent him a cease and desist letter threatening him with $150,000 in copyright violations for posting its publically accessible training materials online, and requiring that he retract all of his research. After the Electronic Frontier Foundation came to Eckhart's defense, however, the software vendor backed off.

Despite Carrier IQ's statements, questions remain: exactly what is its software doing, and why? "Many people are clearly confused about this application and what it does, and it's being explained to nobody," said Eckhart, in a follow-up report on Carrier IQ that he released Wednesday, tied to his new video demonstrating how he sees the Carrier IQ software capturing data.

"What we don't know--until Carrier IQ and the carriers tell us--is how much of that information it transmits back to the carriers. Now, if it's not transmitting it, why would it collect it?" said attorney Mark Rasch, a former Department of Justice computer crime investigator and prosecutor who's now director of cybersecurity and privacy consulting at CSC. "The basic rule should be one of transparency, openness, and user control, and that's the first place where Carrier IQ or the providers fell down. People didn't know the stuff was there," he said.

In light of that, did Carrier IQ break federal wiretapping laws? Interestingly, while Ohm sees this as a clear case of federal wiretapping laws having been broken, Rasch offers a different assessment: "The answer to this, of course--like everything else with the law--is, it depends," he said.

Notably, the law recognizes that carriers must ensure that their infrastructure is working properly. "The law gives carriers a lot of leeway in capturing data traveling over their networks, for specifically this reason--quality control--going back to the days of copper wires. So the wiretap laws create exceptions," he said. "These are the guys in the phone booth with alligator clips checking line quality, call quality, making sure the call went through. Which even allows the phone company to listen in on a phone call to make sure it went through."

But on the other hand, while Carrier IQ is working for carriers, its software tool operates on handsets, which might make it an agent of the handset manufacturer. Furthermore, instead of capturing data as it's traveling over their network, it sees the data before it even gets transmitted.

That might put Carrier IQ's activities into a legal gray area, or it may be protected under existing statutes. "There's no case law on this," said Rasch, who calls the related legal questions "clearly ambiguous," based on his reading of the relevant federal statutes. As a result, "this is one that's more likely to be decided in the court of public opinion than it is in a U.S. district court," he said.

Companies that have implemented or are evaluating managed print services look to the model for its ability to reduce costs and increase end user productivity. However, IT teams need to be aware of security and scalability when selecting a partner. Here's how two large companies in diverse industries got a handle on printing. Read our report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Psyanomaly
50%
50%
Psyanomaly,
User Rank: Apprentice
12/1/2011 | 6:27:59 PM
re: Carrier IQ Vs. Wiretap Laws
Just a thought.... I wonder if the data collected, in its transmission is also counting against the users data plan.
skyhawk83
50%
50%
skyhawk83,
User Rank: Apprentice
12/1/2011 | 6:47:13 PM
re: Carrier IQ Vs. Wiretap Laws
Well...I guess the hackers are going to have fun with this one.
KPICKERING000
50%
50%
KPICKERING000,
User Rank: Apprentice
12/1/2011 | 6:51:29 PM
re: Carrier IQ Vs. Wiretap Laws
It's worth noting that Eckhart discovered that CarrierIQ tracks and captures data travelling over Wi-Fi, i.e., data not part of any carrier network. It even captures data when the phone isn't connected to any network at all. If that's not a violation of the law, then the law is written too narrowly.
nightmage80
50%
50%
nightmage80,
User Rank: Apprentice
12/1/2011 | 7:04:42 PM
re: Carrier IQ Vs. Wiretap Laws
Also... why is the phone company allowed to spy on us? Does the wiretapping law really extend to data usage as well or is that just implied and untested?
fredaevans
50%
50%
fredaevans,
User Rank: Apprentice
12/1/2011 | 7:21:41 PM
re: Carrier IQ Vs. Wiretap Laws
I'm not too sure if there really is any violation of 'wire tapping' here. This system operates off of cell phones and the like (millions in use at any given time). Once you hit 'send' on a cell phone it becomes a 'radio transmitter' to a cell phone tower (then into a land line?) There was a big stink years back as you could easily build a set that would intercept any call being made in close proximity. Also (as I understand same) the 'wire tap' laws for land lines vs cell phone numbers is not the same; in one case a specific phone number. The other 'any number' an individual may use.

One way or the other this will get interesting.
fae
DHOOVER079
50%
50%
DHOOVER079,
User Rank: Apprentice
12/1/2011 | 7:27:07 PM
re: Carrier IQ Vs. Wiretap Laws
if
fredaevans
50%
50%
fredaevans,
User Rank: Apprentice
12/1/2011 | 7:28:03 PM
re: Carrier IQ Vs. Wiretap Laws
True to a degree. If you have your phone turned on the nearest cell phone tower is tracking its location. It's not so much that it's 'gathering' information, but knowing where you are for incoming calls.
Freedom Fighter
50%
50%
Freedom Fighter,
User Rank: Apprentice
12/1/2011 | 7:31:01 PM
re: Carrier IQ Vs. Wiretap Laws
"The law gives carriers a lot of leeway in capturing data traveling over their networks, for specifically this reason--quality control--going back to the days of copper wires. So the wiretap laws create exceptions," he said.

But what their software is doing is recording my keystrokes in my phone that may or may not be sent over their network, then covertly sending it to them... even over Wi-fi connections that are NOT THEIR NETWORK. They are recording my notepad entries, calender entries, grocery lists.

Paint is grey if you wish, but it is still black and white.
oink444
50%
50%
oink444,
User Rank: Apprentice
12/1/2011 | 7:53:54 PM
re: Carrier IQ Vs. Wiretap Laws
While privacy is a huge issue in this case so is data billing we the customer is paying them to transfer your stuff which making our bills higher I want to know how offen and how much data is being transfered and be refunded back since the very start of this spy ring that everyone in the cell business knew of this . This has nothing to do with testing the network , a persons keystroke, text message and passwords dosn;t help them build a better network its all bull. Class action suit sign me up.
dgilmore14601
50%
50%
dgilmore14601,
User Rank: Apprentice
12/1/2011 | 8:26:42 PM
re: Carrier IQ Vs. Wiretap Laws
As data (in this case voice data via a celluar phone) traverses the network from point A to B a myriad of carriers networks are touched. This is the world we live in. The concept of "privacy" exists only between the ears and I'm not so sure about that with the last developments in MRI technology. As long as we leverage the concept of static legal rights into dynamic technologies we will continue to "disappoint" someone.
Page 1 / 2   >   >>
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.