When people start quoting Senator Al Franken as a computer security expert, you know something odd is going on. I thought Franken was a good comedian and if I lived in Minnesota I’d probably vote for him. But giving him kudos for his knowledge of mobile phones and root kits — not so much.
What brings this to mind, of course, is the sound and fury over Carrier IQ, whose cell phone code has been accused of being spyware that’s deeply rooted on Android and Apple’s iOS smartphones. Panicked by scary blog posts and conditioned to think that a vicious hacker or CIA spook lurks behind every table in Starbucks, users are flipping out. But they don’t need to. My advice: Chill out.
It’s far from clear that Carrier IQ’s code — Apple, AT&T, Sprint, HTC, Samsung and T-Mobile have said some of their phones use the software — actually works as a key logger, the most serious charge leveled at the company. (Key loggers record and transmit key strokes on a phone or other device for use, usually illegal, by someone else.) In fact, there’s real reason to doubt the threat, and the company has strongly denied that it’s true.
What’s more, a number of security experts with no ties to Carrier IQ have come forward to debunk the scare stories. One of them is Dan Rosenberg, a well-known security expert who works for Virtual Security Research in the Boston area. He reverse-engineered the code on several Android phones, and saw no evidence of a threat. “Everyone is concerned that it is logging keystrokes. But the application is not doing that,” he told me when I reached him at his office.
If you’ve followed the news, you’re probably aware that Trevor Eckhart, a 25-year old system’s integrator in Connecticut, discovered what appeared to be a smoking gun. In a video that quickly went viral, he showed how the phone was apparently recording key strokes. If true, that would be very disturbing.
But Rosenberg told me that Eckhart misunderstood what he saw. In fact, Carrier IQ only logs keystrokes that are part of a diagnostic sequence a help desk technician would ask a user to input. The keystrokes are transmitted to the application, but aren’t recorded and even if they were, they contain no personal information, Rosenberg said.
Does Carrier IQ code send some information back to the carriers? It does. But according to Rosenberg, the information has to do with diagnostics information carriers use to monitor and maintain their networks. For example, if your phone or its browser crashes, the software would probably tell the carrier where that happened (using GPs-type data) and what the device was doing that may have been related to the crash. It does not record, and is probably not even capable of recording, the body of a text message or an email.
Yes, your phone tells carriers where you are. But that’s not unique to Carrier IQ’s software, and it is data that law enforcement officials can get with a warrant. In fact, they sometimes get it without a warrant.
Carrier IQ did something really stupid. It freaked out and tried to slap a restraining order on Eckhart. By reacting so badly, the company made it look like it had something to hide. Then somebody, probably a PR type, told the company to wise up, and Carrier IQ backed off and apologized. But the damage was done.
All you have to do is cruise a few Web sites and you’ll see headlines using words like creepy and scary, and heated accusations that Carrier IQ is guilty of wiretapping. Writers who took a more balanced view of the incident have been the target of insulting and incendiary comments.
I don’t care what the knuckleheads say. It’s my job, as the little blurb says, to give you well-informed guidance on what should and shouldn’t be on your tech radar. The Carrier IQ flap doesn’t need to be.