December 1, 2011

Our Take on Carrier IQ

There’s been a growing buzz over the last couple of weeks about Carrier IQ and its presence on several Android devices across several major US carriers. There is no question that Carrier IQ has deep access to sensitive user data, and questions around the handling of that data are completely legitimate. While this is true, there are also credible reports that a deeper look at the mechanics of Carrier IQ’s software indicate a bit of hyperbole in labeling it a root kit. In short, it doesn’t appear that they are sending your keystrokes straight to the carriers.

We’ve received a number of inquiries from our customers as they’ve learned about Carrier IQ, and we’re encouraged that the mobile community is paying increasing attention to privacy risks associated with their mobile data. Based on what we know so far, it doesn’t appear that Carrier IQ’s software is malware, and for that reason it’s not flagged as such by Lookout. It is software that is developed in partnership with carriers with the intent to improve network performance. As far as we can tell, it meets this description in execution.

Metrics are all the rage these days, and it’s hip to be a metrics-driven company. It’s critical to consider users’ privacy, however, and the more sensitive the data that is being touched, the more critical it is to give your users a clear opt-out path. While this isn’t currently an option provided by Carrier IQ and its partners, we’re hopeful that it will become one in the near future.

We intend to continue this conversation with our users, network operators, Carrier IQ, and the mobile ecosystem in general. We’d also like to know how you feel about it – feel free to sound off in the comments or reach out to us directly at feedback@lookout[dot]com.

15 comments
  1. Barry Couper says:

    Whether keystrokes go to carriers or not, it’s a security hole if they are being sent to Carrier IQ without user knowledge, agreement, and way to opt out.

  2. Tomas says:

    Hmmm, not sure if it is your decision to make if it is “malware” or “rootkit”.

    If Carrier IQ is sending info about our phones without our consent I would have expected Outlook to inform me.

  3. TatiG says:

    Not only an opt out option, but it needs to be opt in from the get go. The issue with CarrierIQ is that they thought it was fun to look at our data. Time has come for them to face the truth.

  4. Timothy Harlin says:

    Lookout please please let us destroy Carrier IQ.

  5. […] have stringent policies on data retention. Independent mobile-security company Lookout wrote in a blog post, “It doesn’t appear that they are sending your keystrokes straight to the […]

  6. Pete Austin says:

    Re: “In short, it doesn’t appear that they are sending your keystrokes straight to the carriers.”

    Yes, but do keystrokes get sent Delayed? Indirectly? On request?

    Are the keystrokes in a log on the phone which can be seen if you ever send it back for repair?

    • Amy says:

      @Pete, thank you for your questions. Based on the information that we currently have on Carrier IQ, it does not appear that Carrier IQ is logging keystrokes. We will be sure to keep you posted as we have more information to share about Carrier IQ. Thank you.

  7. Nik Kalos says:

    I love lookout and my employees love it too. It’s a great way for consumers to stay protected. thanks lookout !!!

  8. GoneToPlaid says:

    The problem, regardless of whether or not the non-stoppable Carrier IQ app actually sends every single recorded keystroke to the cell phone provider or to Carrier IQ, is that a secondary application can monitor the Carrier IQ app and transmit every single keystroke. This is underlying point of Trevor Eckhar’s video since all he did was to use a third party app to monitor what the Carrier IQ app was doing. Take a moment to understand what Trevor’s video inherently shows: That any third party application can be designed to, via monitoring the Carrier IQ app, intercept and transmit every keystroke as well as other data such as the contents of email, secure web pages, et cetera, even if the Carrier IQ app itself isn’t transmitting all of the gleaned data. The point is that the Carrier IQ app literally hands over EVERYTHING YOU DO ON YOUR SMARTPHONE to any malicious third party software which is deliberately designed to query what the Carrier IQ app sees you doing with your smartphone. And you think that Trevor is the first person to discover what Carrier IQ’s app is doing? Most likely malware authors have known about this for quite some time.

  9. ivan says:

    Hi… has lookout actually performed FULL packet captures of packets LEAVING (say Sprint EVO) devices running CIQ?

    What was IN the packets?

    Where were the packets sent?

    Were they encrypted in transit?

    Would you SHARE neutrally monitored packet data in front of the press and tech savvy audience?

    • Amy says:

      @ivan, we are still actively working to determine more information about what Carrier IQ accesses and transmits. We will be sure to keep all of our users posted as we learn more about Carrier IQ. We will continue to keep you posted as we have more information to share. Thank you!

  10. Joe says:

    I am sorry Carrier IQ, the ATT of the world. You may be good guys with my data. But I just do not trust you, your employee, your data centers with full of security holes with my sensitive data. The law is the law, if you data mining us without our consent, you will have to pay for it financially, and criminally.
    I hope the judge will never approve any settlement with law breakers with big fines without they have to admitting the guilt thus allow them to do it again and again as we see in the wall streets firms and else where. It is high time, these white colar criminals face jail time too.

  11. larry says:

    Tim Wyatt, show your research data to back your claimed that Carrier IQ isn’t malware.

  12. Anonymous Coward says:

    CarrierIQ finally admits what everybody knew already: http://www.wired.com/threatlevel/2011/12/carrier-iq-data-vacuum/

    The data was also passed along to the FBI:
    http://www.huffingtonpost.com/2011/12/14/robert-mueller-fbi-carrier-iq_n_1148700.html

Leave a comment