Carrier IQ, Inc. has received more public attention in the past 60 days then it has in the previous five years that the company has existed. The software, Carrier IQ (CIQ), is analytics software designed to improve the end user experience by providing information such as dropped calls, service coverage and software crashes to wireless providers. Recent legal action by Carrier IQ, Inc. met with reactive action by the Electronic Frontier Foundation (EFF) has caused a recent media frenzy around privacy and disclosure issues surrounding the software.
After a flurry of fanciful claims, stating that CIQ software was deployed to nearly every smartphone found on every wireless provider and that the software logs all keystrokes or performs data mining on text messages and email, security researchers have sporadically begun debunking the myths. It is not difficult to locate a news article covering CIQ usage. We cite this ZDNet article as one of many in the popular press. Several wireless providers admit to using CIQ to collect some amount of information regarding their respective networks. However others, such as Verizon, have taken a strong opposing position:
“Reports about Verizon using Carrier IQ are false. Verizon Wireless does not add Carrier IQ to our phones, and the reports we have seen about Verizon using Carrier IQ are false”.
When reviewing the identified Carrier IQ subdomains, we found that three appear to be related to Verizon. It is important to note that subdomains are exclusively owned by the Domain owner, and in this case these subdomains are owned by Carrier IQ.
However, some have speculated that Verizon perhaps did use or had entertained using CIQ software based solely on this circumstantial evidence.
204.235.122.217 (vzw-collector.demo.carrieriq.com)
204.235.122.218 (vzw-dis.demo.carrieriq.com)
204.235.122.251 (hupload-vzw99.carrieriq.com)
The CIQ popularity has also spurred developers to come out with third-party applications which mobile users can use to determine if the CIQ software is loaded onto their device. However, Dell SecureWorks’ Counter Threat Unit (CTU) research team found that although the CIQ software components might be detected on a device, detection does not mean that the CIQ software is functional. Indeed, some of these tools currently exhibit misleading output. Furthermore, installing more than one detection tool may create additional false positives. We found this to be the case when analyzing a Verizon branded device.
Figure 1: Third party software may incorrectly detect Carrier IQ or provide misleading results
Our initial analysis of an SCH-I800 (Samsung Galaxy Tablet 7) showed that some CIQ software could be found on some Verizon devices. The particular device we analyzed was running the recently updated build SCH-I800.EI04 (as distributed from Verizon in November 2011).
Figure 2: Excerpt from current (2011) support documentation
Additionally, as we show below, the EI04 update package indicates that CIQ was also present prior to the EI04 update. Most users of this Galaxy Tablet are likely running EI04 or the previous EC02 software.
In particular, files found on the device after the IE04 update have the following hashes:
147b8ad1c655046e6a07ed9da7663f05 libiq_client.so
f1f576f73f8f173e1feb08dc9ce9d566 libiq_service.so
4fa974b53aec08d451e71ef081f167f7 iqmsd
9305f3a85c7887ddb5c6273d0cba8e10 dpram_vzw.ko
As with many Android devices, updates to the Galaxy Tablet 7 can be received over-the-air (OTA). An OTA update is passively downloaded to the device which in turn notifies the user that a software update is available and can be applies at the user’s leisure. Verizon’s Galaxy Tab support page, has documents to both catalog the benefits of updating and an instructional document for the software update. Here we are specifically referring to the 69.7MB EI04 update for the SCH-I800.
Figure 3: Over the Air (OTA) update information
The update includes CIQ related patch files:
patch/system/lib/libiq_service.so.p
patch/system/lib/libiq_client.so.p
patch/system/bin/iqmsd.p
indicating that the files already existed prior to the update, and will be patched as part of the update process.
While Android does not employ any kind of Public Key Infrastructure to validate the origin of the software, the software does appear to be appropriately cryptographically signed and was delivered and automatically updated on the device.
The presence of this CIQ software could be seen as evidence contradicting Verizon’s statement; however the above CIQ software alone is not enough for CIQ to be fully functional. We were able to confirm with Verizon Wireless’s product team that the software was included as a standard software package from the manufacturer who supports similar devices for other wireless providers. Furthermore, while working with Verizon, they stated that the software was never intended for use on the Verizon network and, as we discovered, is not functional.
While the above four files are undeniably present on the SCH-I800, CTU has not found any evidence that the software is actually used on the device. The iqmsd binary does depend upon the libiq_client.so file, but the CIQ software does not appear to actually run on the device and other software components required for CIQ to fully function does not appear to be present. There is no carrieriq service, no Carrier IQ binaries (including iqmsd) are running by default, and there appear to be no Carrier IQ related symbols in the kernel (as listed in /proc/kallsyms).
We won’t further discuss what we’ve found on other devices, the inner workings of these files, or other CIQ files in this blog entry (though, others have posted similar content.) Instead we simply wish to inform a subject that has garnered gratuitous and unsubstantiated claims. Carrier IQ is greatly misunderstood regarding both software capabilities and device deployment. We encourage decision makers to verify reports, and be aware that privacy or security sensitive situations may warrant additional, independent platform review.
Leave a reply
