The company keeps giving explanations, but they're not off the hook yet

Dec 14, 2011 09:52 GMT  ·  By

The controversial company Carrier IQ issued a report to further explain how they do business and how their software really works.

It seems as they discovered a bug in a diagnostic profile that measures radio-network-to-mobile device signaling, which helps network operators determine why calls get dropped.

In unique circumstances, when a device received an SMS during a call or during a simultaneous data session, messages were collected by the software.

Carrier IQ reports that the layer 3 radio messages which embedded SMSs were not decoded or made available to anyone. Even so, the bug was immediately fixed.

In response to Trevor Eckhart’s proof of concept video, the organization states that they record key strokes as part of the IQ Agent’s “check-in process”.

Normally, the IQ Agent transmits the diagnostics according to a schedule, or when a specific numeric code is entered by the user through the device’s dialer.

With SMSs it’s basically the same. The data collector may send an SMS to request transmission of the data, these being the factors that gave the security researcher the impression that keystrokes were being recorded.

“Carrier IQ has never intentionally captured or transmitted keystrokes and is not aware of any circumstances where this has occurred. Carrier IQ is not a keylogger and no customer has asked Carrier IQ to capture key strokes. “

Furthermore, they claim that the video merely proves that keystrokes and SMSs were stored in Android log files and not written or passed along by their software.

While the paper makes some interesting points, which may all very well be true, the incident is far from being over, especially after yesterday we’ve seen how even the FBI has some involvement with the company.

US Senators also got involved in the matter, demanding further clarifications from the company that lately has been struggling hard to clean its reputation.