What's really going on with Carrier IQ on your phone

By , Network World |  Security, Carrier IQ, privacy

This is the second, distinct event, which is caused not by the Carrier IQ software, but by an "unrelated screwup by HTC," the phone's manufacturer, according to Rosenberg.

"HTC put debugging statements in their code, a common practice to help developers figure out what's going on while they're working on the phone," Roseberg says. "These [HTC] debugging statements included code that outputs the bodies of incoming SMS messages. These printouts should have been disabled before shipping the phone, but for some reason that didn't happen."

"So seeing SMS [text] bodies in the [Eckhart] video actually has nothing to do with CIQ, and is an artifact of HTC failing to disable printouts that were intended for developers only," Rosenberg says.

"As others have pointed out, the phone [Eckhart] used in the 'expose' was operating in debug mode, not standard operating mode for the models shipped to users by carriers," Bace says. "He equated the appearance of data in his logs with export of that data to the network or, for that matter, with access to that data by others, even as he disabled the connectivity of the phone to the network. He presumed to understand the functionality of the CarrierIQ artifacts in the log without bothering to substantiate what they were doing with respect to writes-to-storage-devices, to system calls, etc."

"I'm distressed that amidst the furor, there's no acknowledgment that Eckhart isn't a cellular network expert," Bace continues. "To understand an endpoint device, especially one that is by definition under some central management control as a condition of connectivity, is only a part of understanding whether a threat or exposure exists."

HTC's failure to disable the display of the debug statements constitutes a legitimate potential security threat to user information. These are a "risk to privacy," Rosenberg says, and HTC should mitigate that risk by disabling these debugging messages. But it's not a risk created by the CIQ software or the data it is able to collect.

In his blogpost, Rosenberg spells out what the deconstruction of the CIQ code reveals about how the application actually works, as revealed by the metrics enabled for his Samsung phone. It matches Bace's conclusions.

"Taking this information into account, all of the data that is potentially being collected supports Carrier IQ's claims that its data is used for diagnosing and fixing network, application, and hardware failures," Rosenberg concludes. "Every metric in the above table has potential benefits for improving the user experience on a cell phone network. If carriers want to improve coverage, they need to know when and where calls are dropped. If handset manufacturers want to improve battery life on phones, knowledge of which applications consume the most battery life is essential."


Originally published on Network World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question