Carrier IQ's Andrew Coward on TrevE's keylogging video and HTC

6a00d83451c9ec69e20154374c6028970c-300wi[1]In interviews with The Register and The Verge, Andrew Coward, VP of Marketing for Carrier IQ, provides some useful insight into how the software works.

He states that the CIQ application:

  • only collects what the operators (Sprint in our case) request
  • can be triggered by SMS messages
  • can be triggered by the user (by typing a code) to record or upload certain information
  • is on average sending 200K of information your phone gathered per day
  • is not logging all that data you see in TrevE's video (HTC is doing that)
  • operates entirely in RAM and does not log to SD

He also says that logs are encrypted, small, and overwritten constantly with no information older than a week. CIQ is told about every event the kernel relays to it, but by default it discards or doesn't pay attention to most of the information.

Coward implies that what TrevE's video shows is the kernel handing off information to CIQ (which is most likely discarded) and HTC's kernel logging it to the system log where any app with access could read and decipher what you typed. So even if you killed CIQ, the HTC kernel would still be logging that it was trying to send the information to the CIQ application.

He further asserts that any information that CIQ is not set to collect is discarded immediately, otherwise the logs would be huge.

He also appears to be saying that in the form that Carrier IQ wrote their application, it was just an application. How the carriers integrated it is what caused it to become a rootkit. Though he doesn't explicitly point the finger at anyone, this once again puts the ball back into HTC and Sprint's court in terms of who's to blame for potential wiretapping charges.

With the HTC stock kernel sending all the information to the Carrier IQ program and then logging it unencrypted, it looks more like the kernel is doing the bulk of the data compromise we were initially worried about.

I wrote to the HTC PR person who originally said that HTC was in no way affiliated with CIQ and asked if it was HTC or Sprint that called for the integration of CIQ as it is into the kernel. As of this writing five days later, I have not received an answer.

The facts still are that CIQ, in its implemented form, is a rootkit that collects and transmits information you don't have access to view to people and places you're not familiar with. I don't think the vast majority of users would care so much if we just had the power to limit what we send, know what we send, know when we're sending it, and opt out or turn the program off, but the three-way blame game that's been going on has done nothing but make people more upset.

There's still some seemingly deliberate obfuscation on anything related to CIQ. It seems to exist just to confuse the issue. There's Carrier IQ the company, Carrier IQ the program, and Carrier IQ as implemented by the carrier.

CIQ the company can say CIQ does not collect any of your information, and this may be correct if they're talking about the company. They may never see a bit of your information, but CIQ the application can collect your information and transmit it to Sprint, or HTC.

CIQ the company can say CIQ is not a rootkit, and this is correct. Neither the company nor the application is a rootkit; however, how Sprint and HTC took CIQ the application and integrated it into the operating system has made it, in essence, a rootkit.

CIQ the company states that CIQ the program is not a keylogger. Correct. HTC's kernel is sending most events (keypress, power state change, screen tap) to CIQ the program. Technically the HTC kernel is a key-tosser. Should the carrier (Sprint in most cases) care to log the keypress events, then application becomes an event logger, logging and later transmitting keypress events. What you see in TrevE's video is the kernel logging what it's sending to CIQ, not CIQ recording information.

Carrier IQ is a logging and diagnostic program. CIQ logs whatever the carrier specifies to log, and later transmits it to a portal. HTC's kernel is sending the logging program every single event that happens on the phone.

So, once again, unless something new comes out, CIQ isn't the problem; it's HTC and Sprint. If they would just get off their behinds and let us remove it, or choose what information we refuse to let it collect rather than state it doesn't exist or it can't do Operation X (which obviously it can), I think they'd be in a heap less hot water.

The public forum for CIQ, HTC, and Sprint is further muddled by CIQ being contract-bound to not divulge any of their customer's information; HTC stating they're not a customer or affiliated with CIQ, despite modifying their kernel to work with it; and Sprint initially saying CIQ doesn't exist and now saying basically nothing.

[The Register | The Verge]
Pocketables does not accept targeted advertising, phony guest posts, paid reviews, etc. Help us keep this way with support on Patreon!
become a patron button - for some reason we don't have an alt tag here

Paul E King

Paul King started with GoodAndEVO in 2011, which merged with Pocketables, and as of 2018 he's evidently the owner. He lives in Nashville, works at a film production company, is married with two kids. Facebook | Twitter | Donate | More posts by Paul | Subscribe to Paul's posts

Avatar of Paul E King