Will Carrier IQ's software make your phone vulnerable to hackers?

Got a smartphone? Then Carrier IQ's software may be logging everything you do on it. Better start praying it won't get hacked.

If you own a smartphone, odds are good it contains a secret piece of software that can log every single thing you do on it and send that data back to a company you’ve never heard of. Sound like a paranoid fantasy? Then you clearly haven’t heard of Carrier IQ.

Carrier IQ makes analytic software that tracks battery use, connection attempts, and other data on some 142 million smart phones.  You probably have it on yours, though you wouldn’t know it, because Carrier IQ (and your handset provider) take great pains to hide it from you and keep you from disabling it. And yes, even the mighty iPhone is not immune.

Android security researcher Trevor Eckhart discovered Carrier IQ on his HTC phone earlier this fall and blogged about it. He called it a “rootkit,” a type of software typically used by malware authors to hide nasty code where anti-virus software can’t find it.

Eckhart discovered that in addition to battery life, connections, etc, the Carrier IQ software was also capturing text messages, emails, Web histories, and every other action on his phone. He even made a 17-minute video showing how the software hides, how it’s impossible to shut off, and everything it appears to record.

Instead of addressing Eckhart’s concerns, proving he was mistaken, or modifying how its software works, CIQ sent its lawyers after him. Big mistake. And though CEO Larry Lenhart subsequently apologized and withdrew CIQ’s legal threats, it’s in the middle of a privacy s**tstorm of epic proportions, and it has only itself to blame.

InfoWorld’s Robert X. Cringely likens the CIQ mess to the Sony Rootkit CD debacle of 2005, and with good reason. Back then, Sony BMG came up with the brilliant idea of putting XCP copy protection software on some of its music CDs. If you played one of these discs in your computer, it would secretly install copy protection software on your PC in a way that was invisible to you, as well as any anti-malware software (ie, a rootkit). The software was designed to keep you from making copies of the songs and sharing them on Kazaa or Limewire.

The problem? Aside from being a totally slimy thing for Sony BMG to do, the same rootkit could be used by hackers to mask malware – and in fact, some did. 

So one question is, could hackers do the same thing with CIQ’s rootkit? Or, worse, simply hack into CIQ’s software and siphon off all the data it’s collecting?

But those are not the only questions alarmed smartphone users are asking – and so far, Carrier IQ is failing to answer.

* What devices is Carrier IQ’s software running on? Is it possible to remove it? How?

* What data is CIQ collecting? The company says it does not log keystrokes, record texts or emails, or track users across the Web. Eckhart says it does. Who’s right?

* If CIQ isn’t keeping all the data Eckhart claims it logs, could CIQ keep it if it chose to do so?

* Can the data collected be tied to a specific identity – ie, your phone’s unique ID number or your phone number?

* Who has access to the data? How long is it kept? How is it secured? If presented with a legal order, could Carrier IQ hand over our entire phone usage histories to a court?

* Did Carrier IQ and its telecom partners violate Federal wiretap laws?

This is a classic case of where the biggest privacy threat is usually not the obvious one. It’s when thoughtless or unscrupulous data collection practices fall victim to the law of unintended consequences.

Most data collected by mainstream non-cybercriminals is used for a relatively benign purpose. At best, they want to use it to improve their products; at worst, they want to use it to sell you something. Neither is life or freedom threatening. It’s when the data is used for secondary purposes – or falls into the wrong hands – that things can get nasty.

And that is the problem with collecting hordes of data, especially extremely personal data like text and email messages or phone calls and Web surfing histories. Once you’ve got it, someone else (a hacker, legal authorities, a successor company) may also get it. And there’s the ever-present temptation to monetize that data, especially when the original purpose for collecting it isn’t paying off the way the data collector hoped it would.

At the barest minimum, cellular carriers need to be a lot more upfront about what software is actually installed on the phones that cost us thousands of dollars a year in usage charges, as well as what that software does. Better yet: Give us a choice about whether we want this software on our fancy and expensive handsets, and if not, offer tools to remove them.

Privacy advocates have been waiting for a worst case scenario to demonstrate the dangers inherent in cell phone tracking. I think they just found it.

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynan_on_tech. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies