Embedded by the phone maker with the operating system, at the behest of the carrier, the Carrier IQ program can receive from the OS specific measurements and changes in state on the device, and in some cases location data. Running a carrier-specific "profile" that identifies the subset of metrics the carrier wants, Carrier IQ then sends those metrics, as encoded data over SSL, to the server for analysis.
As such, Carrier IQ is not an after-market application but a "systems internal," according to Bace, meaning it is part of the hardware-firmware-OS configuration specified by a cell carrier when it agrees to accept a specific phone on its network. "This is not unusual in complex system environments," she says in an email. "They're analogous to firms who develop and brand specific mechanisms for operating systems, such as...log mechanisms, debuggers, drivers for specific hardware components, etc. and whose products are fielded as integral parts of those systems.
"I'm accustomed to being a professional skeptic, but so far everything I've seen is consistent with the assertions made by the [CIQ] engineering and development team -- they provide only that status information pursuant to diagnosing issues with the cellphone, and furthermore take pains to limit access to that information to the carriers controlling the solution," Bace says.
Rosenberg is vulnerability research practice lead for Virtual Security Research, a Boston consultancy. He is one of a number of skeptics who last week began voicing reservations about the original analysis by Eckhart, a systems administrator in Torrington, Conn.
The analysis included the YouTube video posted by Eckhart that has been viewed repeatedly, and usually unquestioningly cited as "proof" that Carrier IQ is a "rootkit" that among other things enables the software vendor, the handset maker, and the carriers to read and record SMS messages, Web page content, passwords, and a potentially unlimited amount of sensitive, personal, or private user information.
Astonishingly, despite all the fulminations and outrage at online hacker forums, developer websites, and tech news sites, Rosenberg seems to be the only person who has attempted to disassemble the CIQ code and actually document how it works.