Security experts say the Carrier IQ software, designed to stealthily transmit a wealth ofsmartphone usage data to wireless carriers and vendors, is a serious enterprise security threat andhighlights the need for greater transparency about the data being collected.
Carrier IQ has heightenedscrutiny and awareness of what data is being collected and not being collected and how a user getsnotified.VP of marketing, Redwood City
Security researcher Trevor Eckhart recently discovered the CarrierIQ software on a variety of Android mobile devices, and is capable of running on otherplatforms including those from BlackBerry and Nokia. The software, used by AT&T, Sprint andT-Mobile, is intended to provide metrics to mobile carriers, but it is not always optional; in manycases users dont know it is on their devices.
Eckhart said he found Carrier IQ running in the background on his HTC device, and that itappeared to be tracking nearly all interactions on his mobile phone, from monitoring key pressesand browsing history, to location data and SMS logs.
Experts warn that enterprises should educate device owners about the permissions they give tocertain mobile applications. An unknown number of mobile applications collect potentially sensitivedata because users are often too quick to give elevated mobileapp access privileges.
Device owners are more likely to have problems from quickly installing applications that theydont know much about, said Cameron Camp, a research systems manager at San Diego-based antivirusvendor ESET LLC. The problem here isnt that Carrier IQ or the mobile operators are doing evilthings; they clearly havent been fully transparent and thats what people are taking issuewith.
The goal of the software, according to Carrier IQ, is to help mobile operators improve servicequality. In a statement, Carrier IQ said Eckhart's research doesnt show how the applicationprocesses the data and what data is transmitted from the device. Carrier IQ said its applicationcaptures only data specified by carriers according to their privacy standards and agreements withusers. Other researchers have validated Carrier IQ'sclaims. Researcher Dan Rosenberg reversed engineered the Carrier IQ software and found that itdoes not record SMS messages or keystrokes.
Eckhart's research shows the Carrier IQ software runs like a rootkit, stealthily sniffing data.Rootkits, tools orprograms used to mask software or network intrusions, are typically used only by malicious hackers.Experts said the discovery draws comparisons to the rootkit-baseddigital rights management (DRM) system installed in 2005 by Sony BMG Music Entertainment Inc.to prevent CD copying.
The discovery of the software has raised ire in the security community and among privacyadvocates, who say both Carrier IQ and mobile carriers are failing to provide transparency into thedata they collect. Author and security expert Bruce Schneier calledCarrier IQ"spyware" and speculated that it is just one of multiple iterations of surveillance software inuse by mobile platform providers.
Romania-based antivirus vendor BitDefender has issued an Android application designed to detectthe Carrier IQ software. Most users presume their devices are free from spyware and Trojans,said Catalin Cosoi, head of BitDefenders Online Threats Lab. The Carrier IQ software fails thetransparency test, Cosoi said, and degrades trust.
We have mobile analytics and applications for PCs to send statistics, but this should be onlyanonymous data and the user has to be informed that this information gets sent to serviceproviders, Cosoi said. There needs to be some kind of opt-out.
In some cases, poor coding practices result in an application that has too much access to deviceprocesses. Last year, two researchers demonstrated a variety of mobileapplication vulnerabilities and said the smartphone marketplaces have fostered a new wave ofless-skilled developers who build applications as quickly as possible to gain as much visibilityand profit as they can.
The kind of notifications given to users by mobile applications must be clear and should explainwhy an application needs to connect to a specific device resource, said Ahmed Datoo, vice presidentof marketing at Redwood City, Calif.-based mobile device management vendor Zenprise. Enterprisesface legal risks if they fail to establish mobile device security and privacy policies, Datoosaid.
Datoo said Zenprise uses a multiple tier approach in terms of notifying the user. For example, apop-up notification informs the user when location data is used by the Zenprise application. Thenotification appears, even if the user initially gave permission for the application to tap intothe devices global positioning system. The data is used by the Zenprise application to setlocation-based security policies.
Carrier IQ has heightened scrutiny and awareness of what data is being collected and not beingcollected and how a user gets notified, Datoo said. If an enterprise develops mobile applicationsit better make sure it communicates what it is collecting from the end user.
0 comments:
Post a Comment