Wednesday, November 30, 2011

Getting a little tired of 'security researcher' bluster

There's been a flap recently about a company called CarrierIQ because of claims made by a 'security researcher' about the software. The software is installed on millions of smartphones around the world and (the company says) is used by carriers to look at network and phone performance by tracking usage.

Two articles have appeared based on this researcher's work. has Security researcher responds to CarrierIQ with video proof and Wired has Researcher’s Video Shows Secret Software on Millions of Phones Logging Everything.

Now, I'll admit that I find it worrying that my smartphone might be logging information about what I'm doing and sending it to some third party, and both articles make a very scary claim:
Wired: From there, the data — including the content of text messages — is sent to Carrier IQ’s servers, in secret. This video has demonstrated a truly significant volume of information is being recorded. Passwords over HTTPS, the contents of your text messages, and plenty more are recorded and sent to the customers of CarrierIQ.
That would be worrying if true, but if you watch the 'security researcher's' video you'll find that nowhere does he make the claim that content that the application sees is leaving the device. And from the video he doesn't appear to try. At no point does he enter a debugger and look inside the CarrierIQ application, and at no point does he run a network sniffer and look at what data is being transmitted to CarrierIQ.

And I don't understand why. It would be a huge story if millions of smartphones worldwide were secretly sending the content of text messages to a US-based company. But that's not the story here because the 'security researcher' does not appear to have tried to find out.

The story as told by the 'researcher' is that the CarrierIQ application gets called when keys are pressed, when text messages are received and when the web is browsed. What isn't delved into is what the application does with the information. Without that it's not possible to tell if there's something really scary going on or not. (I've not discussed the privacy policy implications here as I think that's a separate, non-technical issue).

And here's where I have a problem with 'security researchers'. The story here is a little too sensational and the researcher really needs to dig deep to get to the truth. We've seen this before with sensational claims that Samsung was installing keyloggers on all their laptops made by a 'security researcher'. It turned out to be rubbish.

I'd really like to see some real research into when the CarrierIQ application is doing with the information it is seeing, otherwise these claims about all my keystrokes being sent to some third-party company are just claims without any substance to back them up.

To quote Carl Sagan: "Extraordinary claims require extraordinary evidence". Let's see the evidence.


-j said...

This entire thing is a problem of irresponsibility. From what I can see, the CarrierIQ thing would be about the most awesome tool for actual software development and management in the real world. I can completely see this as a useful tool.

I think that the problem is simply the lack of notice. You cannot argue that software which silently collects imperial loads of data on your phone is "bluster". If it weren't a potentially huge issue, then you would get clear concise notice, explanation and some sort of waiver to permit the software to be used. You would get a privacy statement and some commitment from the companies involved.

They are making no guarantees, and the law is on their side once they have all of this information. Sell it to anyone, at any time. They can legally sell this to any Federal Agency as well. By this means any governmental department can monitor you and keep your hands clean.

Calling this "security bluster" is a misnomer. You aren't giving any credit to honest business practices.

Unknown said...

So... key logging software - which even logs otherwise encrypted data - installed without the end user's knowledge and consent is much ado about nothing? CarrierIQ's business model is all about collecting data for the carriers' consumption. Are we to simply trust that they send only a subset of the data they collect? Is it really an extraordinary claim that this information would be sent to the carrier (even though such trasmission isn't demonstrated)? I don't think so. Why would this data be collected if not for such use?