Carrier IQ verbatim: Answers from company exec, researchers

It’s been a tumultuous whatever weeks for Carrier IQ, the Mountain View, Calif.-based start at the edifice of an Internet-wide concealment surface over what its software, which carriers locate on ambulatory phones, actually does.

By today it seems extravagantly country that, disobedient to early reports, Carrier IQ is not actually a “rootkit keylogger.”

But the consort has not still publicised theoretical info on how its cipher works–it says more module be sociable soon–so CNET readers and others hit continuing to improve questions. In addition, carriers crapper configure Carrier IQ to achievement and transfer the URLs of Web pages visited, a removed concealment anxiety from keylogging.

Below are whatever exact statements from Carrier IQ, section researchers, and added parties that strength wage whatever answers. Also wager CNET’s listing and attendant articles, including an psychotherapy of the concealment concerns.

Andrew Coward, evilness chair marketing, Carrier IQ

[On a CNN.com article quoting him locution he was "surprised" by
data logging] “I conceive my comments were misconstrued.
I said that there is an
Android grouping debug index in the phone
(not attendant to CIQ) which generates index messages of what is
happening in the amount and it was this aggregation that the
security consultants were healthy to view. FYI this debug log
viewer is titled logcat.”

[On existence quoted in a Wired.com article as locution "probably yes"
when asked whether Carrier IQ's cipher could feature book messages:
That was a misquote. It was in meaning to the sound number
associated with the SMS message, not the table of the message.]

[On what carriers see] “They’re not feat to wager the contents. They’re
not feat to wager what you type. They’re not feat to wager the contents
of your SMS messages. They’re not feat to wager what’s on your screen.”

[On existence healthy to achievement streaming apps, visited URLs] “That relates really
to discernment what applications are on the amount and covering usage.
If you’re having problems with the applications, we’ll wager every of that. Next to
that in cost of sense would be discernment what URLs your device
is feat to. We wager that aggregation too. Whether a assist provider
actually uses that aggregation (is up to them).”

[On remotely dynamical sound settings] “That strikingness apparently gets
changed dynamically. What they do and crapper do is travel up
activity. Let’s feature they wager a aggregation of dropped calls in digit area. They
might say, ‘I requirement to invoke on added 10,000 phones… to travel up the
amount of aggregation that’s reaching in.’”

[On determining not to expose theoretical specifications] “We have
competitors, potentially, and there’s a enthusiastic hacking accord out
there as we’ve discovered. Source cipher publicised for everybody to see
probably isn’t the prizewinning outcome for us.”

[On encrypting client data] “When the aggregation is transmitted,
it’s encrypted. I don’t poverty to speech most what we do with the accumulation on
the device.”

[On real-time accumulation collection] “If the consumer dials a primary short
code (during a hold call), the amount module upload the latest
diagnostic information.”

[On existence theoretically healthy to achievement every keystrokes because the
software is streaming with stem access] “We undergo our (software) doesn’t
do that. We strongly defence by that and wish to hit grounds as presently as
possible.”

Becky Bace, section doc presented admittance to Carrier IQ’s systems

[On what Carrier IQ does] “Though I’ve not had instance to do a unfathomable dive
into code, I’ve reviewed the grouping organisation (with pore on the
monitoring pieces in particular) and asked whatever pretty unsaved hard
questions of the school principals most the particulars regarding the
monitoring/data getting and nervy mechanisms – I’m easy that
the designers and implementers exhausted a enthusiastic care of develop in
focusing on the espoused goals of the cipher (i.e. to support as a
diagnostic assistance for assuring calibre of service/experience for mobile
carriers.)…”

[On business ties] “I’ve no business relation with the concern — it
falls right the aggregation section and venture direction functions
that hit circumscribed my assets activities of the past. I hit known
the CEO of the concern for awhile (our paths originally decussate when he
was a CEO of digit of the firms in which Trident endowed a decennium ago)
but again, there has been no business relation between us and
when he titled me for advice, the status honked me soured seriously enough
that I volunteered to help.”

Dan Rosenberg, section researcher, UNIX essence hacker

“Based on my possess investigate on CarrierIQ, the covering does not record
and transfer keystroke accumulation backwards to carriers. The recording depicts
keystroke events existence transcribed to a temporary pilot that is not
written to round or dispatched backwards to carriers. These keystrokes are
inspected in visit to analyse for primary sequences utilised for technical
support, and hit null to do with the aggregation that’s being
gathered by the application.”

“In cost of how I conducted my research, I derived the covering off
of individual Android devices that ingest it, and analyzed the gathering code
using a disassembler to watch how it entireness low the hood…”

[On emotional the results of his work] “Redistributing the
reverse-engineered internals of advertizement cipher for purposes other
than interoperability would most probable be a DMCA violation. Plus,
it’s not especially engrossing for the purposes of this discussion,
since the most essential abstract isn’t the cipher that’s there but the
code that isn’t there (namely, there’s no cipher that records
keystrokes).”

Jon Oberheide, co-founder of Duo Security, utilise creator, cipher auditor

“I definitely wouldn’t ingest the constituent keylogger to intend to Carrier IQ. It
processes whatever signaling events (hardware buttons, etc), but it doesn’t
meet the functionality and aim of a keylogger…

“I concord with Carrier IQ’s evidence that it’s rattling the carrier’s
policy on aggregation URLs and added data. There’s sure privacy
concerns and huffy accumulation that could be leaked finished the
URLs. Carrier IQ seems to be receiving the blessed in this scenario,
while it’s rattling the carriers that should be responsive the questions
and claims here (which they’ve started to)…

“Most malware module meet stem your sound and hit flooded admittance to all
your state regardless. Funny how grouping mutant most about
Carrier IQ, when malware crapper do the aforementioned abstract but easier, more
stealthily, and with apparently vindictive intent. ”

Sprint’s statement

“Carrier IQ provides aggregation that allows Sprint, and added carriers
that ingest it, to dissect our meshwork action and refer where we
should be rising service. We also ingest the accumulation to see device
performance so we crapper amount discover when issues are occurring. We collect
enough aggregation to see the client undergo with devices
on our meshwork and how to come some unification problems, but we do
not and cannot countenance at the table of messages, photos, videos, etc.,
using this tool. The aggregation composed is not oversubscribed and we don’t
provide a candid take of this accumulation to anyone right of Sprint.”

Apple’s statement

“We obstructed activity CarrierIQ with iOS 5 in most of our products and
will vanish it completely in a forthcoming cipher update. With any
diagnostic accumulation dispatched to Apple, customers staleness actively opt-in to share
this information, and if they do, the accumulation is dispatched in an nameless and
encrypted modify and does not allow some individualized information. We never
recorded keystrokes, messages or some added individualized aggregation for
diagnostic accumulation and hit no plans to ever do so.”

CNET’s Elinor designer contributed to this report