Until the recent uproar over the discovery of Carrier IQ’s analytics software running on a variety of mobile devices, including Apple iPhones and Google Android phones, however, most consumers failed to recognize that they also have little control over the software installed on the highly subsidized handsets they buy. Nor was it clear just how much of a security and privacy risk Carrier IQ’s software creates by gathering and storing data about how and where a person’s mobile phone is used.
Carrier IQ has positioned its software, installed on more than 141 million handsets worldwide, as a mobile agent that helps carriers improve service for wireless customers by providing data on customer usage patterns. These improvements include reducing dropped calls and extending device battery life, Carrier IQ CEO Larry Lenhart said in a video recently posted to YouTube.
Controversy over what else the company could do with the information it gathers arose a few weeks ago, when software developer Trevor Eckhart pointed out on his Android Security Blog that Carrier IQ can tap into a variety of information stored on a handset, including “manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user’s pressing of keys on the device, usage history of the device, including those that characterize a user’s interaction with a device.” Eckhart, who claims to have obtained this information from a Carrier IQ patent filing, then tested the software for himself.
Eckhart’s subsequent claims that CarrierIQ is a “rootkit” that logs mobile phone users’ activity and location prompted the company to obtain a cease-and-desist order, which was later rescinded when Eckhart retained the Electronic Frontier Foundation. Rootkit is a loaded cyber-security term referring to keylogging, trojan or other software installed without a user’s consent or knowledge for the purpose of tracking activity on that device. More recently, software developer Grant Paul (a.k.a. chpwn) claimed that Carrier IQ is installed on iPhones, as well the Android, Blackberry and Nokia phones originally identified by Eckhart. Apple has since distanced itself from Carrier IQ, as Macworld.com noted.
More disconcerting than the evidence that Carrier IQ is collecting sensitive data is the lack of evidence that the company knows how to protect that data, says Chris Soghoian, a privacy and security researcher at the School of Informatics and Computing at Indiana University Bloomington. “You have this application running on your phone with basically full privileges-able to access users’ emails, phone calls, location information, text messages and photographs- and it’s just sitting there,” he adds. “Even if you believe that Carrier IQ is well-intentioned or believe that the carriers are not receiving this information, you still have a security crisis just waiting to happen when a hacker figures out how to exploit this information. This is an absolute gold mine for hackers or intelligence agencies or law enforcement.”
The notion that spy agencies or law enforcement could take advantage of Carrier IQ to access private information is particularly relevant given the California Supreme Court case earlier this year that awarded police the authority to search mobile phones without a warrant.
Carrier IQ’s software is like “a gremlin living inside your phone that has the capability to report back to someone else if asked to do so,” says Soghoian, who is also a graduate fellow at the Indiana University’s Center for Applied Cybersecurity Research. Despite Carrier IQ’s claims that it is working to improve network performance for callers, Soghoian adds, the company is hired by the carrier and the performance improvements are only a marginal aspect of what the collected user data could be used to do.
The backlash against Carrier IQ-as well as the mobile phone makers and carriers that permitted the software to be installed-has been extensive. U.S. Sen. Al Franken (D-Minn.) and Rep. Ed Markey (D-Mass.) have called for investigations into Carrier IQ’s presence on mobile phones. Germany’s Bavarian State Authority for Data Protection has contacted Apple to find out more about its role in Carrier IQ use. Regulators in the U.K., France, Ireland and Italy are likewise reviewing whether Carrier IQ is in use in their jurisdictions, according to Bloomberg.
While policy makers question the company’s intentions, Soghoian scoffs at the idea of premeditation. “Instead of assuming that the company is being nefarious, it’s much better to assume that they’re inept,” Soghoian says. “It’s always safer to assume ineptitude and incompetence, and in this case there seems to be ample evidence of both.”
Author: Larry Greenemeier, Scientific American