ADVERTISEMENT
  About the SA Blog Network













Observations

Observations


Opinion, arguments & analyses from the editors of Scientific American
Observations HomeAboutContact

Is Carrier IQ’s Data-Logging Phone Software Helpful or a Hacker’s Goldmine?


Email   PrintPrint



U.S. mobile phone customers do not like spending a lot of money for their wireless gadgets. As a result many agree to restrictive contracts with AT&T, Sprint, Verizon and other wireless carriers in order to get a good deal. Until the recent uproar over the discovery of Carrier IQ’s analytics software running on a variety of mobile devices, including Apple iPhones and Google Android phones, however, most consumers failed to recognize that they also have little control over the software installed on the highly subsidized handsets they buy. Nor was it clear just how much of a security and privacy risk Carrier IQ’s software creates by gathering and storing data about how and where a person’s mobile phone is used.

Carrier IQ has positioned its software, installed on more than 141 million handsets worldwide, as a mobile agent that helps carriers improve service for wireless customers by providing data on customer usage patterns. These improvements include reducing dropped calls and extending device battery life, Carrier IQ CEO Larry Lenhart said in a video recently posted to YouTube.

Controversy over what else the company could do with the information it gathers arose a few weeks ago, when software developer Trevor Eckhart pointed out on his Android Security Blog that Carrier IQ can tap into a variety of information stored on a handset, including “manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user’s pressing of keys on the device, usage history of the device, including those that characterize a user’s interaction with a device.” Eckhart, who claims to have obtained this information from a Carrier IQ patent filing, then tested the software for himself.

Eckhart’s subsequent claims that Carrier IQ is a “rootkit” that logs mobile phone users’ activity and location prompted the company to obtain  a cease-and-desist order, which was later rescinded when Eckhart retained the Electronic Frontier Foundation. Rootkit is a loaded cyber-security term referring to keylogging, trojan or other software installed without a user’s consent or knowledge for the purpose of tracking activity on that device. More recently, software developer Grant Paul (a.k.a. chpwn) claimed that Carrier IQ is installed on iPhones as well the Android, Blackberry and Nokia phones originally identified by Eckhart. Apple has since distanced itself from Carrier IQ, as Macworld.com noted on Thursday.

More disconcerting than the evidence that Carrier IQ is collecting sensitive data is the lack of evidence that the company knows how to protect that data, says Chris Soghoian, a privacy and security researcher at the School of Informatics and Computing at Indiana University Bloomington. “You have this application running on your phone with basically full privileges—able to access users’ e-mails, phone calls, location information, text messages and photographs—and it’s just sitting there,” he adds. “Even if you believe that Carrier IQ is well-intentioned or believe that the carriers are not receiving this information, you still have a security crisis just waiting to happen when a hacker figures out how to exploit this information. This is an absolute gold mine for hackers or intelligence agencies or law enforcement.”

The notion that spy agencies or law enforcement could take advantage of Carrier IQ to access private information is particularly relevant given the California Supreme Court case earlier this year that awarded police the authority to search mobile phones without a warrant.

Carrier IQ’s software is like “a gremlin living inside your phone that has the capability to report back to someone else if asked to do so,” says Soghoian, who is also a graduate fellow at the Indiana University’s Center for Applied Cybersecurity Research. Despite Carrier IQ’s claims that it is working to improve network performance for callers, Soghoian adds, the company is hired by the carrier and the performance improvements are only a marginal aspect of what the collected user data could be used to do.

The backlash against Carrier IQ—as well as the mobile phone makers and carriers that permitted the software to be installed—has been extensive. U.S. Sen. Al Franken (D-Minn.) (pdf) and Rep. Ed Markey (D-Mass.) have called for investigations into Carrier IQ’s presence on mobile phones. Germany’s Bavarian State Authority for Data Protection has contacted Apple to find out more about its role in Carrier IQ use. Regulators in the U.K., France, Ireland and Italy are likewise reviewing whether Carrier IQ is in use in their jurisdictions, according to Bloomberg.

While policy makers question the company’s intentions, Soghoian scoffs at the idea of premeditation. “Instead of assuming that the company is being nefarious, it’s much better to assume that they’re inept,” Soghoian says. “It’s always safer to assume ineptitude and incompetence, and in this case there seems to be ample evidence of both.”

Image courtesy of Martin McCarthy, via iStockphoto.com

About the Author: Larry is the associate editor of technology for Scientific American, covering a variety of tech-related topics, including biotech, computers, military tech, nanotech and robots. Follow on Twitter @lggreenemeier.

The views expressed are those of the author and are not necessarily those of Scientific American.





Rights & Permissions

Comments 8 Comments

Add Comment
  1. 1. JamesDavis 9:36 am 12/3/2011

    Didn’t President Bush open the door to this security breech when he infringed on our 1st Amendment Rights and started collecting e-mails in the name of stopping terrorism and keeping the American people safe? We are now starting to see and understand what a dark path Bush has led us down. If makes you wonder what other dastardly deeds he has committed to bring this country to its knees.

    Link to this
  2. 2. tomgarven 11:52 am 12/4/2011

    I can’t think that this data would be anything but pure 24kt gold to hackers and it will probably be in the public domain shortly. Now that the cat is out of the bag I would:
    1. Immediately stop doing online banking or anything else requiring https secure transactions with a mobile device.
    2. Stop sending text message you wouldn’t want published in your local newspaper.
    3. Cancel all of your online https accounts immediately, and;
    4. NEVER trust your mobile phone provider again.

    A word of advice; if you don’t want everyone to know what you said or did – don’t tell anyone.

    Link to this
  3. 3. Dredd 2:50 pm 12/4/2011

    So long as it allows us to choose to use it or not, turn it on or off as we choose, then it is a tool.

    Otherwise it is not to be trusted.

    The cell phone is the tool of the citizen journalist. As such is it of utmost value.

    http://blogdredd.blogspot.com/2011/12/citizen-journalist-in-america.html

    Link to this
  4. 4. Jerzy New 4:32 am 12/5/2011

    Good advice for users above! Time for an U-turn on mobiles and such gadgets. Don’t do anything on your mobile you wouldn’t want hackers to know. These gizmos seemed to good to be true. Well, they were.

    Any real-life company so careless about customers money and data would go bankrupt from lawsuits. Mobile phone providers and internet companies operate in a dangerous legal loophole. Time for lawmakers to fix it.

    Link to this
  5. 5. Jerzy New 4:33 am 12/5/2011

    BTW – I don’t understand the “malicious or simply inept” controversy. Do hackers care? Would you care after you lost your money? The risk is here.

    Link to this
  6. 6. AtlantaTerry 4:08 pm 12/6/2011

    How long before there is an app available to permanently deactivate the Carrier IQ software? I would pay for such a utility.

    Link to this
  7. 7. electric38 4:04 am 12/7/2011

    Hackers are probably the least of concerns. Our military has massive screening and tracking powers for Cyber-Security purposes. Any “Data Center” in the US or in the world, that wishes to intercept or just look into messages has free reign over any transmitted data. It must go through their servers. Most satellite transmitters can “ping back” to the transmitting company less detailed, but somewhat relevant information on the user. For example, most TV cable and satellite companies know exactly who is watching what at any given time. Many legal agencies can get court orders to “tag” phones, messaging and texting from a user if a judge deems it to be “legal and pertaining”.
    Every web site “cookie” has tagged the user with a traceable means, mostly for advertising purposes, but also for political reasons.
    Face it. Your profile is pretty much known to several entities. This is one reason why there are many pro Wiki leaks fans. It does a body good to see what the other side is doing with this information to control world politics and worldwide industries.

    Link to this
  8. 8. Quinn the Eskimo 9:23 pm 12/8/2011

    As long as it is not OPT-IN with the default OUT, it’s spyware.

    Senators, where the F**k are you on this one?

    Link to this

Add a Comment
You must sign in or register as a ScientificAmerican.com member to submit a comment.

More from Scientific American

Scientific American MIND iPad

Give a Gift & Get a Gift - Free!

Give a 1 year subscription as low as $14.99

Subscribe Now >>

X

Email this Article

X