Friday, December 2, 2011

The Carrier IQ debacle

In case you've missed the commotion, concerns have been raised over the last few days about a component produced by a company called Carrier IQ and installed on many smartphones which (a) is set to run by default on some smartphones; (b) may be more covert than other processes running on the system; and (c) seems to have hooks to which it is passed various confidential data such as the identity of keypresses, the content of SMS messages and the cleartext version of data sent over HTTPS.

Such is the concern that some commentators are already describing the Carrier IQ software as a rootkit.

It is possible that the module in question is entirely innocent, and that the reason for confidential data being passed to its hooks is simply due to some slightly diabolical API design. Be that the case, I would then expect:

- smartphone manufacturers who have embedded the Carrier IQ component in their OS's to come forward with details about the close scrutiny that the software underwent on their part before being approved;
- Carrier IQ to come forward with some convincing and reassuring details about why this confidential data is apparently being passed to the process without constituting a breach of trust and confidentiality.

As I say, the Carrier IQ component may be entirely innocent and above board. But the longer the above two actions continue not to occur, the more concerning things appear. And sometimes, it isn't whether there is anything untoward that matters, but whether there appears to be...

No comments: