Carrier IQ and Mobile Privacy

Happy Friday everyone! One of the stories we posted last week discussed Trevor Eckhart’s research on Carrier IQ’s application. The application, installed on millions of mobile devices, logs keystrokes and essentially passes sensitive data back to the company. After many interviews and deeper inspection by security researchers, it seems that Carrier IQ may not be truly sending all the data back to their data centers, instead, it is intercepting and filtering data for troubleshooting and gathering relevant statistics.

There’s still a lot of speculation. The company has been interviewed extensively and denies storing or sending the sensitive data. There are now lawsuits pending and several serious inquiries by US lawmakers are underway, as well as an assertion that perhaps this violates US Federal wiretapping laws. What does this kind of thing mean for security professionals?

First and foremost, this is the kind of story that gets the security community up in arms very quickly, and for good reason. Most people have come to rely fairly heavily on mobile devices that are integrated with one or more telecommunication carriers’ services. Without deep inspection and analysis using debuggers and other tools, most won’t even realize that these services and software are embedded within the devices. Security teams are not particularly keen on having their privacy violated, last time I checked. An even bigger issue is at hand, though - what about enterprise data? Enterprise phone plans still leverage the mobile carriers, and these devices are shipped with monitoring software pre-installed. Exactly what kinds of corporate data or secrets are passing through carrier and application developer networks and data centers without the knowledge and/or consent of the enterprises involved?

The revelation of Carrier IQ’s capabilities on Droid, Blackberry, and potentially IOS devices raises the broader issue of business continuity as it relates to information security. After conversations with many in the IANS community, I know this is at the top of their list of concerns for 2012, and it should probably be somewhere on yours, too.

More interesting stories for the week:

• Bill Brenner at CSO reports that Google+ and Facebook may be susceptible to some “link masking” techniques that could be used to phish users and direct them to links that they cannot see.
• Cisco’s Product Security Incident Response Team (PSIRT) published ten (10) vulnerabilities in various Cisco products this month, many of which are found in security-related products like the ASA firewall and Firewall Service Modules (FWSM).
• Cnet bundled adware with its download of the popular Nmap network scanner on the Download.com site. The scanner’s author, Fyodor, discovered this and sent out an email to the Nmap mailing list advising people of the issue.
• Adobe, sadly, has a few critical flaws in Reader and Acrobat that seem to be getting exploited in the wild right now. Lenny Zeltser mentioned this over at the SANS Internet Storm Center, and now there are rumors of some major issues emerging in Flash as well. A bad month for Adobe? Maybe an average one, given the track record. Ouch.