January 13, 2012

Carrier IQ Detection By the Numbers

Over the past few weeks the Carrier IQ PR firestorms has died down, and the dialog has evolved from initial speculation of a ‘rootkit’ to objective evaluations of what personal data is collected, and when. One of the most informative examples of the latter is Peter Eckersley’s December 13th overview at the EFF of Carrier IQ’s software architecture – recommended reading for more technically curious readers out there.

In developing Carrier IQ Detector, we discovered very similar results to those published by the EFF. The take-home message is that determining whether or not a device has an active instance of Carrier IQ is a very nuanced subject, with dependencies on software developed by Carrier IQ, handset manufacturers (also referred to as OEMs), mobile operators, and chipset manufacturers. After individually inspecting a number of handsets that cut across a variety of US carriers and OEMs, we decided to develop our detector to report positive detections of Carrier IQ if a single relevant file is found. This approach brings with it both an upside and downside:

  • Upside: It provides the broadest detection reach possible
  • Downside: Our detector registers the presence of Carrier IQ in some cases where the software is not active

After hearing from some of our customers that this specific nuance of the detector wasn’t clear, we’ve updated the app description to make sure this point is emphasized.

Carrier Response

Recently major US mobile operators have responded to criticisms over the use of Carrier IQ software through public statements that directly address questions regarding the scope and impact of their deployments:

  • Verizon stated that it does not use Carrier IQ software on its phones, and our data appears to confirm this. The very small number of positive detections we received for Verizon devices can be traced to two specific devices, which means that they likely have incomplete and/or inactive instances of Carrier IQ software.
  • Sprint and AT&T provided insight into their specific use of Carrier IQ’s software. In addition, Sprint has since announced that they will be disabling its use moving forward.
  • T-Mobile provided information on the number of specific devices that contain Carrier IQ software, along with estimates of the number of customers affected.

Along with recent information detailing the actual capabilities of Carrier IQ’s software, these statements have been very useful in developing a bigger picture of the issue.

Carrier IQ Detector Results

In the 5 weeks that Carrier IQ Detector has been on the Android Market, it’s been downloaded over 200,000 times. We’re amazed by the sheer amount of interest, and it significantly exceeds any of our initial estimates, but it points to the importance that users are increasingly placing on the security and privacy of their mobile devices.
As a part of releasing Carrier IQ Detector, we incorporated an option for users to anonymously submit the results of their scan to us. Thanks to the nearly 60,000 users who have chosen to submit their results, we’ve gained a unique perspective on the topic that we’re sharing here. For the results below, it’s important to remember that positive detections were triggered by finding any Carrier IQ file on a device, regardless of whether or not the entire Carrier IQ stack is present and/or active.

We received nearly 60,000 submissions from users, but the insights below focus on results received for Version 1.1 of the Detector, which improved detection accuracy for a number of specific device types and operators. While the total rate of Carrier IQ detection did not noticeably change between versions, we’d like to err on the side of caution when segmenting this data into smaller groupings.

Detections By Popular Devices

This was the first question we wanted to answer: are there specific device types that show higher instances of Carrier IQ than others? Consistent with reports from handset manufacturers, our results show that there are a number of popular devices that account for high number of detections.

Top 20 Devices Reported (By Detection Rate)


Detections By Carrier

Our second question: what percentage of devices on US carriers have Carrier IQ software installed? The data we gathered was extremely consistent with the public statements detailed above from mobile operators.

Note: It’s important to remember that positive detections are triggered by finding any Carrier IQ file on a device, regardless of whether or not the entire Carrier IQ stack is present and/or active. As an example, the 72 positive detections reported for Verizon devices are tied to two specific devices: the Samsung Galaxy Tab and HTC Droid Eris.

Top US Carriers (By Detection Rate)

International Insights

Lastly, we wanted to understand the level of International impact. The Carrier IQ story has been largely domestically focused to-date – is that focus supported by the data? While the majority of results were submitted by US users, there is a fairly large group of International users that used the detector as well.

Top 20 Countries Reported (By Detection Rate)

While at first it may appear that Carrier IQ is installed across a broad range of International devices and carriers, on closer inspection it is actually a small number of specific devices that drive our international detections. The Samsung Galaxy Tab alone represents 57% of international detections.

Top International Contributing Devices (By Total Detections)

Conclusions

The amount of interest from our users on the subject of Carrier IQ has been incredible, and we’re happy to share the data they’ve voluntarily submitted to us. In general, we found that this data is consistent with disclosures and public statements from carriers and handset manufacturers. Based on all the evidence provided to-date, we still do not classify Carrier IQ as malware, and for a variety of reasons our software does not remove it from devices. That said, we’re happy to see that consumers are becoming increasingly aware of mobile privacy issues, and we’ll continue to be committed to helping them better understand mobile risks and security threats.

2 comments
  1. Sanchanim says:

    This is great information.
    It does seem like a lot of the firestorm has indeed gone away. Even congress seems to have shifted gears to a certain extent.
    I think this raises some questions which I am not sure can be readily answered, but I will pose them in any case, and hopefully get some feedback.
    How much control or monitoring capabilities should the wireless carriers have over their own networks? I know this sort of drifts away from the focus a bit as everyone is concerned about personal privacy and things of that nature, but they do go hand in hand.
    Wireless carriers have appliances and servers to handle your phone transmissions. As such they need to be able to administrate and maintain those devices. Being an administrator myself I can say they probably can see quite a bit if they want too.
    What are the laws if any that govern, monitor, dictate how carriers can maintain their networks? We as end customers of the network purchase and pay for use of the carriers network. In entering an agreement we also expect service. Now I know there are plenty of complaints regarding coverage areas, bandwidth etc, but any carrier needs some insight into their networks. How much is reasonable?
    I know the carriers talk a lot about trust. Ok ok we can all stop snickering, but really we choose a carrier, and our transmissions are expected to work. If a carrier needs to know about handset performance data, and if needed detailed data transmission information in order to support us is that ok?
    When the story first broke there was the initial scare that it was evil and watching us all. We know it isn’t true, and I know folks are asking for opt in or opt out. I don’t feel one way or the other, but I think the carriers standpoint was based on their EULA that we all signed they could opt you in or out. Right or wrong, it was what they did. I guess in the end it is what is the expectation of us the end users and the carriers with regard to monitoring the networks they run.
    I know being in the corporate world a company pretty much can have access to any transmission over their networks period.

  2. hector says:

    Is there anything can stop the sending of the information

Leave a comment