The Youtube video posted by software developer Trevor Eckhart, revealing the presence of a hidden "Carrier IQ" software client running on an HTC Android phone, was the shot heard 'round the mobile world' late last week. The idea that the company, also named Carrier IQ, was recording keypresses, URLs, and location information on as many as 150 million Androids and iPhones on behalf of wireless carrier clients provoked predictable and widespread outrage. As of this writing, two class-action lawsuits have been filed and more appear on the way; they accuse HTC and Samsung, as well as Carrier IQ itself, of violating the Federal Wiretap Act, which prohibits the unauthorized interception or illegal use of electronic communications.
Technorati unanimously fault Carrier IQ and carriers for imbedding and running this software on handsets without subscribers' knowledge or opt-in. The extent of the privacy infraction, however, seems to have been overstated. Carriers that admit to using the IQ service – AT&T, T-Mobile and Sprint – maintain that they don’t download key presses, and only monitor some phone activity in order to optimize network performance and help with technical support.
Supporting the carriers’ claim, Dan Rosenberg, security blogger and consultant at Virtual Security Research, announced that he had reverse-engineered Carrier IQ and found "no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data. There's a big difference," he added, "between 'look, it does something when I press a key,' and 'It's sending all my keystrokes to the carrier!'"
The Eckhart video (available for viewing immediately below), in Mobile Enterprise's view, makes it extremely clear what has been going on behind the scenes. Some - Dan Rosenberg and others included - may focus on the issue of whether or not the data collection amounted to anything - the 'no harm, no foul' approach.
But enterprise CIOs need to wake up to the reality that the keystroke and data capture was, in fact, going on and happening to millions of devices being used in the enterprise, all of them accessing corporate data, some of them thought to be secure, some of them thought to be safe from prying eyes, some of them thought to be reliably protected. The truth is that none of them were, and what's worse, no one would have known if Eckhart (or eventually someone else down the road) hadn't discovered it.
Merely Botched PR? Or Something More?
The company does admit, however, that it does capture and share the URLs entered on smartphone browsers. They say that carrier staff needs this information during tech support calls. It’s those URLs that raise the most concern, as well as the specter of future abuses, those same experts agree.
Chester Wisniewski, senior security advisor at data protection company Sophos, pictures a scenario in which an employee VPNs into a corporate server using smartphone or tablet. He points out that since Carrier IQ captures data straight from the device itself, before encryption, the mobile operator customer would have access to the URLS of potentially sensitive corporate internal servers.
Further, in a sloppy but common practice, user IDs and even passwords are commonly embedded into https URLS that are presumed to be secure. "What if my URL were https://myhospital.org/ssn=, with my social security number, to bring up my record?" Wisnewski asks . The capture of such passwords is serious hacker bait. Carrier IQ maintains, though, that it encrypts its stored data.
The possibility for abuse (especially in the face of innocuous-seeming 'no harm, no foul' thinking), for corporate spying, and even for privacy invasion of workforce users potentially from enterprises themselves is enormous. The need to ensure that Carrier IQ and other such software does not reside on any workforce mobile device is critical. MDM vendors need to take note!
Experts we spoke with – including Dave Farber, Professor of Computer Science and Public Policy at Carnegie Mellon University and former CTO to the FCC - agree now that the story is not so much a spy plot as a study in badly botched PR. Carrier IQ’s first response to Ekhart’s investigation – a cease and desist order – certainly intensified suspicions of wrongdoing.
The upshot for CIOs, for now, is to check for Carrier IQ on employee devices that have corporate access, and to disable it wherever this is easily accomplished, says Wisniewski. On iPhones, this is a fairly simple matter of turning off diagnostic mode. Android devices, on the other hand, require rooting to shed the software, a move that voids the phone’s warranty and could leave it far more vulnerable. If the enterprise owns the devices, Wisniewski advises a conversation with your carrier. If employees own them, he admits that it’s a tough call, but says that for now, he would sit tight.
"If there’s any true business risk to Carrier IQ, it’s all going to come out in the wash," he says. Should that happen, carriers will hurry to remove the stain by ditching the software or activating it only via opt-in. In the meantime, Wisniewski recommends that those in regulated IT environments consult with a lawyer to see if URL data collection runs afoul of compliance.
"It does raise a couple of bigger questions in the whole mobile space," adds Wisniewski, "namely, what is bundled into all these devices? If you buy a Samsung Android from any carrier, it carries some Facebook Samsung app that might have some vulnerability you can’t get rid of." The proliferation of Android releases compounds the problem, he notes.
Telecom attorney Martha Buyer agrees, cautioning employers not to assume this is the last or only threat to the data integrity of mobile devices. "In a BYOD scenario, it’s tough to control anything," she says. "I would tell CIOs to sit down with HR and the legal department, review carrier contracts and make sure they craft a good wireless policy. And then they must be willing to enforce it."