Carrier IQ Bits and Pieces

Some background about Carrier IQ before the hullabaloo started.

  • People had found about this before
  • Some in the industry questioned why such an expensive solution for a relatively simple problem
  • Data was available to ‘market researchers’
  • Software was installed on modems too
  • A lot of carriers were involved

This is not new. Several people have pointed this out before. This from December 2010: xda-developers – View Single Post – **warning** you can get your phone to a unrecoverable state:

On whether or not it’s possible for Sprint to dig up data after a complete Odin wipe may be debatable, but I lean toward supporting the “yes, they can” side. Sprint has been, for – as far as I can tell – a while, since the Moment at least, been including Carrier IQ in Android ROMs. Carrier IQ – which you can get more info on here (browse around there) is highly invasive, to the level of being spyware. It tracks signal data, application usage, and much else – its services and libraries are tied deeply into the system, to the point that killing just the client (not the server) will destroy the battery meter.

And this, even earlier, from a potential rival: Carrier IQ: Mobile Service Intelligence ?’s – DeadZones.com. They point out that Carrier IQ is very expensive, and has raised a lot of money, for something that is supposedly very simple (finding dropout zones). Commenters point out the pitfalls (lower battery life, data in the hands of faceless corporations):

I did not give consent for this and see the use of such software unethical. I can see no positive effect this can have for the end user. I can see many scenarios in which these corporations could heinously profit from it, though.

Back in 2008, it could claim, according to Company 2008: FierceWireless, Fierce 15 – FierceWireless, that

Carrier IQ’s client list includes Sprint and Sierra Wireless. CEO Quinlivan says the firm works with at least seven of the top 10 major OEMs. Look for the firm to increase its scale in the coming year through more vendor and carrier deals.

Huawei is a customer, not only for handsets, but also for modems: Huawei to Embed Network Diagnostic Tools into 3G Modems in 2009 says:

Announcing the partnership, Carrier IQ CEO, Mark Quinlivan, said: “These new cards will make for smoother delivery of Mobile Data services, improvements in Customer Care services, identification of network coverage gaps and increased awareness of actual user behavior.”

This from Sept 2010 Carrier IQ Powers Android Platform with Mobile Service Intelligence makes clear a number of things.

Experience = behavior for Carrier IQ, so this is not just about logging dropouts:

On-device measurement of the mobile user experience is the key to better understanding user behavior and ultimately optimizing product offerings to match market demands.

This data was not just available to the telcos. The press release also includes an unlikely end-user:

Carrier IQ enables mobile operators, device manufacturers, application developers and market researchers to improve their offerings based on direct insight into the customer experience.

As of last year, 12 leading vendors were using Carrier IQ:

Deployed on over 90M devices from 12 leading vendors worldwide, Carrier IQ is the leading provider of Mobile Service Intelligence solutions that use mobile devices to provide detailed metrics in a highly secure environment.

Former Soviet Bloc, Allies, Under Lurid Attack

Trend Micro researchers David Sancho and Nart Villeneuve have written up an interesting attack they’ve dubbed LURID on diplomatic missions, government ministries, space-related government agencies and other companies and research institutions in the former Soviet bloc and its allies. (Only China was not a Soviet bloc member or ally in the list, and it was the least affected by the attack.)

Although they don’t say, or speculate, about the attacker, it’s not hard to conclude who might be particularly interested in what the attacks are able to dig up:

Although our research didn’t reveal precisely which data was being targeted, we were able to determine that, in some cases, the attackers attempted to steal specific documents and spreadsheets.

Russia had 1,063 IP addresses hit in the attacks; Kazakhstan, 325; Ukraine, 102; Vietnam, 93; Uzbekistan; 88; Belarus, 67; India, 66; Kyrgyzstan, 49; Mongolia, 42; and China, 39.

The campaign has been going for at least a year, and has infected some 1,465 computers in 61 countries with more than 300 targeted attacks.

Dark Reading quotes Jamz Yaneza, a research director at Trend Micro, as saying it’s probably a case of industrial espionage. But who by? ”This seems to be a notable attack in that respect: It doesn’t target Western countries or states. It seems to be the reverse this time,” Yaneza says.

Other tidbits from the Dark Reading report: Definitely not out of Russia, according to Yaneza. David Perry, global director of education at Trend Micro, says could be out of China or U.S., but no evidence of either. So it could be either hacktivists or industrial espionage. Yaneza says attackers stole Word files and spreadsheets, not financial information. “A lot of the targets seemed to be government-based,” he says.

My tuppennies’ worth? Seems unlikely to be hactivists, at least the type we think of. This was a concerted campaign, specifically aimed to get certain documents. Much more likely to be either industrial espionage or pure espionage. Which means we might have reached the stage where groups of hackers are conducting these attacks because a market exists for the product retrieved. Or had we already gotten there, and just not known it?

Either way, Russia and its former allies are now in the crosshairs.

More reading:

Massive malware attacks uncovered in former USSR | thinq_

Cyberspy attacks targeting Russians traced back to UK and US • The Register