Crapware on a pc or mac is easy to combat….format the machine and use your own, known good image. Phones however are a new frontier of badness for the enterprise and anyone with need for data security. Folks wonder why I’ve advocated locking smartphones out of sensitive networks…this is why. I’ve figured this for a while…now it’s been proven. There are quite a few links in this story..please read them. The video that’s blown the lid off this is right here.
You just can’t make this stuff up. If I had told you six months ago to be very careful about entrusting corporate data to mobile carriers who pre-install app crap, because they would build spyware into phones, collect secure web browsing information, and embed this software so deeply that you have to change the ROM to get rid of it, you would have written me off as a paranoid. Yet, that appears to be the situation with CarrierIQ, a carrier utility gone wild.
Like the Master Control Program in the 80s science fiction classic, “Tron,” CarrierIQ collects data for an ostensibly harmless purpose: to help carriers improve the quality of their network and improve the user experience. Then, it goes crazy and tries to kill everyone. It may not be as bad in this case, but the trouble is, though Carrier IQ claims, “we are counting and summarizing performance, not recording keystrokes or providing tracking tools,” third party analysis of Carrier IQ begs to differ.
Specifically, researcher Trevor Eckhart writes on his blog that the Carrier IQ application “is receiving not only HTTP strings directly from browser, but also HTTPs strings. HTTPs data is the only thing protecting much of the ‘secure’ Internet.” Carrier IQ, realizing how damaging this revelation was, tried to squelch Eckhart through a cease-and-desist letter (giving him two whole days to respond, and threatening damages starting at$180K), but the Electronic Frontier Foundation came to the rescue. Carrier IQ relented after the assault from the EFF, and is now “deeply sorry for any concern or trouble” that the letter may have caused Eckhart.
From an enterprise perspective, this is massive. It’s the Jerry Sandusky of mobility. It is an insane breach of trust.
[ Not up to date on Carrier IQ? See Carrier IQ Withdraws Legal Threat Against Security Researcher. ]
Enterprises have long put up with “app crap” on Windows platforms, and, then, on mobile platforms. On the Windows platforms, enterprises would shrug, wipe the machines, re-image them, and move on with work as usual. On mobile, enterprises believed that the app crap was benign enough. Wrong.
We all knew that spyware existed on PCs, but the big difference is that spyware and rootkits got installed by malicious third parties, not our trusted partners who get paid for services that they provide.
All of a sudden, Steve Jobs’ perspective about who should control mobile device firmware doesn’t seem to be such a bad idea.
Carrier IQ has no relationship, at all, with the enterprise. They’ve said that “we do not sell Carrier IQ data to third parties” or “provide real-time data reporting to any customer.” But once you generate the data, it’s there for the taking.
This year’s Data Breach Investigations Report, co-sponsored by the US Secret Service, and, ironically, a mobile provider, emphatically states that organizations need to eliminate unnecessary data collection (since it can and will be stolen.) As enterprise trusted partners, it’s time for carriers to eliminate the middleman. Carrier IQ had no incentive at all to limit the type of data that it collects.
Because Carrier IQ is so carrier focused, it may have even come as something of a surprise to the Carrier IQ folks that they may have violated wiretap laws.
The whole model needs to change, or this incident will be repeated. Carriers currently control the phone, and work with third parties to build management software that they need. The third parties have no skin in the game in terms of the trust relationship with the enterprise. Frankly, in this case, if Carrier IQ’s reputation becomes so tarnished that they can no longer sustain a viable business, they can pull up their tent stakes, change their name, and resume operations.
Well, good for them, but BAD for the enterprise, because the enterprise now needs to start investing the type of time that used to be reserved for Windows PCs, in order to re-image spyware-vulnerable smartphones. It’s not a matter of just removing the software. InformationWeek contributor Mathew Schwartz told me this morning that “some deployments of Carrier IQ by the carriers have an ‘off switch’ that smartphone owners can trigger,” but that he’s also seen reports that it simply doesn’t work.