Analysis of Carrier IQ Software

Log Pile by Lars Hammer on Flickr

Log Pile by Lars Hammer on Flickr

There has been some confusion and multiple conflicting statements about the Carrier IQ issues that were highlighted in Trevor Ekharts’s initial video some weeks ago.  I will attempt to hopefully clarify some of that confusion and show that, despite statements to the contrary, there is capture and transmission of sensitive information to 3rd parties resulting from misconfigured Carrier IQ software.

Initially, many had interpreted Trevor’s demonstration to indicate that Carrier IQ software was collecting keystrokes, SMS message content, and browser history on consumer devices (i.e as a ‘keylogger’). This was only partially true. Carrier IQ has confirmed their software can collect certain types of information on behalf of carriers, including location, application usage, statistical information about numerical (phone) keypresses, and HTTP/HTTPS browsing activity (even when on a home WiFi connection and not using the Carrier’s network). The company denied responsibility for some of the other types of information collection that was demonstrated (specifically capture of SMS content and individual keypresses in the numerical phone dialer).  There have also been claims that the FBI uses some aspect of Carrier IQ technology as well.

The source of the confusion appears to be that particular versions of the Carrier IQ software released by OEM/carriers seem to be configured to output privileged information (including the contents of SMS messages, HTTPS URLs, location, and numerical (phone) keypresses) to the system logs. This outcome leads to inadvertent disclosure of sensitive information to third-parties which can constitute a privacy breach.

To note, much of this analysis below is focused on the accidental information leakage resulting from ‘over logging’ by the Carrier IQ installation specific to the OEM/carrier (in this case HTC/Sprint). For a more details analysis of what the native capabilities of the Carrier IQ software stack, see Dan Rosenberg’s writeup or this summary.

What does the original video show?

The debug messages shown in Trevor’s initial video constitutes information passed from the HTC EVO 3D handset to a ‘wrapper layer’ developed by the handset maker which generates the log messages on the device. This abstraction layer, likely developed by HTC/Sprint, subsequently passes information to the underlying Carrier IQ software that resides on the handset and collects/transmits a subset of this information to the carrier (in this case Sprint). Carrier IQ has issued a statement outlining what information their software is intentionally able to capture and transmit on behalf of the carrier but hasn’t addressed specifics about this ‘wrapper layer’.

What is the problem with (over) logging?

There are three problems resulting from the HTC/Sprint implementation of Carrier IQ.

First, by (over)logging the full content of messages, numerical (phone) keypresses, location information to the system logs on the handset, the ‘wrapper layer’ exposes what would be privileged information such as a user’s location, browsing history, and SMS message content to applications on the device that would otherwise not have access to this information (i.e do not have ACCESS_LOCATION, READ_HISTORY_BOOKMARKS, or READ_SMS app permissions). HTTPS browsing history is particularly sensitive since it allows malicious apps to potentially hijack a user’s secure login to an otherwise secure service. Trevor has developed a ‘proof of concept’ app that demonstrates this leakage here <link>.

Second, often system logs are used to troubleshoot Android application and operating system crashes.  Specifically, in the event of an app or operating system crash, a certain amount of ‘context’ in the form of debug logs is saved to the file system and subsequently transmitted to Google and/or HTC.  In our tests, we were able to document the transmission of sensitive information, such as text message bodies, HTTPS URLs, numerical entries, and user location, to Google as the result of an OS crash (shown below).  We didn’t have time to capture transmission of these logfiles to HTC (i.e. via the ‘Tell HTC’ crash reporter) but my understanding is this type of reporting may also occur.

Take away

While the intent of this post is to clarify some of the confusion / misinformation surrounding Carrier IQ, it is also a good opportunity to comment on a broader concerns highlighted by this recent issue.

Specifically, by pre-loading misconfigured ‘carrier analytics’ software on their devices, Sprint/HTC has inadvertently exposed nearly 1.5M customers to privacy risks, however minor.  Standard audit procedures should typically capture misconfigured debugger settings or data leakage, an issue that has been pretty well documented in the app developer community.

Additionally, the use of dynamically configurable analytics software such as Carrier IQ itself poses some questions into what information should legitimately be collected by carriers.  For example, while your carrier has access to location (via cell towers) and non-HTTPS browsing history on account of providing you wireless service, they typically do not receive this information when you’re using your home WiFi.  Furthermore, in no case would they normally get access to secure HTTPs browsing activity and precise GPS location.  If the Carrier IQ software provides carriers access to user’s browsing history and location when they are not using a carriers ‘Service’ (i.e when using home WiFi), then Sprint’s privacy policy should be updated to reflect this:

Information we collect when we provide you with Services includes when your wireless device is turned on, how your device is functioning, device signal strength, where it is located, what device you are using, what you have purchased with your device, how you are using it, and what sites you visit.

Finally, the collection and storage of full HTTPS URLs and SMS content on the device may be problematic for device owners wishing to protect sensitive information on their device. Seizure or unauthorized access to the device may lead to inadvertent disclosure of past messages or secure browsing activity since it is recorded in multiple locations without users’ knowledge or ability to delete.

Some debug log samples below (captured via logcat and the mobilescope toolkit):

# RECEIVED TEXT ‘Supercalifragilisticexpialidocious test 4’
V/AgentService_J(  412): Action[963]
V/AgentService_J(  412): get SMS
V/AgentService_J(  412): 37
V/AgentService_J(  412): +checkSMS:-1
V/AgentService_J(  412): +checkSMS  BODY >>:737570657263616C6966726167696C697374696365787069616C69646F63696F757320746573742034
I/HTC_SUBMITTER_C(  412): (0)checkSMS:supercalifragilisticexpialidocious test 4DT,41
V/AgentService_J(  412): -checkSMS:0
V/AgentService_J(  412): Action[976]
I/HTC_SUBMITTER_C(  412): actionUI01:57,0
I/HTC_SUBMITTER_C(  412): (0) convert01:57,0
V/AgentService_J(  412): (0)wKeyCode: 57, ucKeyEvent: 0
V/AgentService_J(  412): Action[977]
I/HTC_SUBMITTER_C(  412): actionUI01:57,1
I/HTC_SUBMITTER_C(  412): (0) convert01:57,1
V/AgentService_J(  412): (0)wKeyCode: 57, ucKeyEvent: 1
V/AgentService_J(  412): Action[978]
I/HTC_SUBMITTER_C(  412): actionUI01:49,0
I/HTC_SUBMITTER_C(  412): (0) convert01:49,0
V/AgentService_J(  412): (0)wKeyCode: 49, ucKeyEvent: 0
V/AgentService_J(  412): Action[979]
I/HTC_SUBMITTER_C(  412): actionUI01:49,1
I/HTC_SUBMITTER_C(  412): (0) convert01:49,1
V/AgentService_J(  412): (0)wKeyCode: 49, ucKeyEvent: 1
V/AgentService_J(  412): Action[980]
I/HTC_SUBMITTER_C(  412): actionUI01:49,0
I/HTC_SUBMITTER_C(  412): (0) convert01:49,0
V/AgentService_J(  412): (0)wKeyCode: 49, ucKeyEvent: 0
V/AgentService_J(  412): Action[981]
I/HTC_SUBMITTER_C(  412): actionUI01:49,1
I/HTC_SUBMITTER_C(  412): (0) convert01:49,1
V/AgentService_J(  412): (0)wKeyCode: 49, ucKeyEvent: 1
V/AgentService_J(  412): Action[1018]
I/HTC_SUBMITTER_C(  412): (0) submitAL34:278145563,
V/AgentService_J(  412): (0)dwPageID:1323128072731,szURL:
V/AgentService_J(  412):
flow to ( – DATA: ‘POST /tools/feedback/android/__submit HTTP/1.1\r\nContent-encoding: gzip\r\nContent-Length: 62932\r\nContent-Type: application/x-protobuf\r\nHost:\r\nConnection: Keep-Alive\r\nUser-Agent: AndroidGoogleFeedback/1.0 (shooter GRJ22)\r\n\r\n’
Further Reading

Some Facts About Carrier IQ Electronic Frontier Foundation December 13, 2011

Related Press

Feds scrutinizing Carrier IQ CNET, December 14, 2011
Carrier IQ faces federal probe into allegations software tracks cellphone data Washington Post, December 14, 2011
Franken focuses in on data privacy as technology takes off Minnesota Post, December 15, 2011
Smartphone apps dial up privacy worries LA Times, January 16, 2012


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s