Feeds

Does your smartphone run Carrier IQ? Find out here

Apple, AT&T, Sprint confirm; Nokia, RIM, Verizon deny

3 Big data security analytics techniques

The roster of confirmed smartphone manufacturers and network providers using the controversial Carrier IQ tracking software has grown to include Apple, AT&T, Sprint, HTC, and Samsung. Verizon, Nokia, and Research in Motion, meanwhile, have denied reports saying they employ it.

In a statement that was widely reported on Thursday, Apple confirmed that some undisclosed products use the software, which an independent researcher has documented secretly monitors users' key presses even when they're entered into webpages protected by the SSL protocol.

Apple didn't say which devices still use the diagnostic software or how long the company has relied on it. But according to a report published on Thursday by Ars Technica, the only iOS 5 device that runs Carrier IQ is the iPhone 4. "Other devices running iOS 5, such as the iPad, the new iPhone 4S, and older iPhone models updated to iOS 5 have had Carrier IQ stripped out," the report said, citing Apple.

The Apple statement, as reported by AllThingsD read:

We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.

Apple's admission, which leaves open the possibility that earlier iDevices still contain Carrier IQ, contrasted with blanket denials from Verizon, Nokia, and Research in Motion, all of which were named by Trevor Eckhart as providing devices that had the software installed.

“The reports we have seen about Verizon using Carrier IQ are false,” Verizon spokeswoman Debi Lewis wrote in an email to The Register.

In his own email, Nokia spokesman Mark Durrant wrote: “Further to your piece, CarrierIQ does not ship products for any Nokia devices, so reports that they have been found on Nokia phones are wrong.”

A statement from RIM, reported by IDG News, was even more categorical.

"RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution," the company said in a statement. "RIM also did not develop or commission the development of the CarrierIQ application, and has no involvement in the testing, promotion, or distribution of the app.”

The denials contradicted research findings Eckhart published last month that claimed phones made or used by all three companies contained the tracking software. In an interview on Thursday, Eckhart conceded he had no hard proof. But he stood by the assertions that Verizon and Nokia had ties to Carrier IQ and cited links on Carrier IQ's website as support.

Eckhart said pages here and here both include executable files that install Carrier IQ on a variety of Nokia handsets. He also dug up this page, which appears to show IP address lookups for the subdomains vzw-collector.demo.carrieriq.com, vzw-dis.demo.carrieriq.com and hupload-vzw99.carrieriq.com. None of the three URLs responded to pings at time of writing.

A statement from Sprint, meanwhile, said:

Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can determine when issues are occurring and how to resolve them. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint.

A key element of our privacy practices involves communicating with our customers about our information privacy practices. The Sprint privacy policy explains that certain data is collected automatically by Sprint including how a device is functioning and how it is being used. Carrier IQ is an integral part of the Sprint service. Sprint uses Carrier IQ to help maintain our network performance.

An AT&T spokesman, meanwhile, said only: “In line with our privacy policy, we solely use CIQ software data to improve wireless network and service performance.”

Both HTC and Samsung, according to IDG, said they add Carrier IQ to their phones as required by unnamed carriers who buy the devices. An HTC statement went on to say that HTC isn't a Carrier IQ customer and receives no data from the app.

With a chorus of companies coming out of the wings to confirm or deny their use of the software, Carrier IQ's reticence is becoming deafening. If the software is really as innocuous as Android security researcher Dan Rosenberg suspects, it should be relatively simply for the Mountain View, California-based company to provide documentation that will put the matter to rest.

Instead, Carrier IQ representatives have have maintained radio silence for more than a week now. ®

This article was updated to add details in the third paragraph about the iPhone 4.

Follow dangoodin001

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.