Last week a very scary piece of research was published by Trevor Eckhart about spyware that is being included on cellular phones in the United States. The commercial software application is called Carrier IQ and is reportedly being used by Verizon, Sprint and potentially other carriers.
Carrier IQ was unhappy with Eckhart publishing public copies of their training materials and proceeded to send a cease and desist letter to Mr. Eckhart.
Fortunately Eckhart worked with the EFF to explain things to Carrier IQ and their CEO responded with an apology promising to work with the EFF and Eckhart.
Eckhart analyzed the software that was running on his Android-based HTC phone (Carrier IQ also supports Blackberry, Nokia and others) and discovered it was doing some rather sneaky things.
It was installed in such a manner as to be largely invisible, it was logging his location even when he had location services disabled and keeping track of every key press and URL he visited (including HTTPS urls).
The software ignored the “Force stop” button and was nearly impossible to remove from the device for non-Android hackers.
What is unknown is what data is being sent back to the carriers and to Carrier IQ. Eckhart’s research only shows the data that is being collected, not what data is being reported back.
The company claims the software is designed to help mobile phone carriers to improve their service quality by measuring where calls drop, what applications are causing performance issues and which handsets may have problems on their networks.
This may be true, but the inability to opt-out or remove the software without informing the user is extremely concerning. Combine that with all of the sensitive information the software is designed to intercept and it raises far more questions about how this software is being used.
While Eckhart calls Carrier IQ a rootkit, I am not sure I entirely agree. It does not completely hide from the system as he demonstrates in his YouTube video demonstrating his research.
(Enjoy this video? Why not check out the SophosLabs YouTube channel?)
Our use of personal computing devices to communicate and interact with extremely sensitive information is enabling organizations to surreptitiously monitor and potentially monetize our private lives.
Monitoring your location is scary enough if you have disabled the feature, but collecting every keystroke and website you visit is an even more chilling thought.
If Carrier IQ is loaded on your phone you may wish to contact your carrier to find out how you can opt-out of participating. Verizon Wireless has made statement available to their customers allowing them to opt-out, although it doesn’t appear to disable/remove the software.
Update: Reports have surfaced that Carrier IQ references have been found in Apple’s iOS going back as early as version 3. We will post more as details surface.
Update 2: Verizon denies utilizing the Carrier IQ software, but Sprint and AT&T have confirmed they utilize the software.