Hidden software in your smartphone might be spying on you. Until an uproar this week, chances are you had never heard of a company called Carrier IQ, but if you own a smartphone, it's possible this little California company has collected lots of information about you.
Carrier IQ makes software that has been pre-installed on mobile phones used by millions of consumers. "It is installed by the wireless carriers like Sprint and AT&T," says Chris Soghoian, a security and privacy researcher at Indiana University. "It is insanely difficult to remove. In fact, you probably have to violate your warranty and perform the equivalent to a lobotomy to remove it from your device."
The software is supposed to provide the wireless carriers with diagnostic information on the ways that consumers are using their phones.
"So this could be your signal strength, how many calls are dropped. But to provide I guess as broad a base of data as possible, the software also captures every keystroke that is entered on the device, which can include your passwords and the web pages you're viewing and the emails and the text messages that you're sending. It can also capture your location, the applications that you're using on your device," Soghoian says.
Carrier IQ declined to speak with Marketplace for this story; however it did issue a statement, saying "While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools."
However, Trevor Eckhart, a 25-year-old software developer, posted this video:
It shows that, in fact, the Carrier IQ on his Android phone was doing exactly that -- logging keystrokes -- even recording text messages before he saw them.
Although researchers including Soghoian say that although the software maybe capturing keystrokes, location and text messages, it doesn't mean it's transmitting that information back to the wireless carrier.
"But you do have this secret gremlin in your phone, watching everything you're doing" Soghoian says. "And the fear that many people are expressing is that this software hasn't really been vetted by the companies that make smartphones; it hasn't undergone thorough security review; and even if the carriers have great intentions and Carrier IQ is not trying to do anything sneaky, it still creates a goldmine for hackers or other nefarious persons who might later want to access this data. It just simply isn't secured very well."
Soghoian says the bigger issue is that millions of users didn't even know the software was there. "This Carrier IQ scandal is actually a mere symptom of the larger problem, which is the carriers are the ones that are deciding which functionality is enabled and disabled on our devices," he added.
Researchers are still sorting out exactly which phones in the U.S. are infected. Phones sold by AT&T and Sprint seem to be the most likely candidates both companies acknowledged they use the software. Verizon has said that they do not install Carrier IQ.
Apple's iPhone was designed to work with this software -- but unlike some other phones, you had to chose to turn it on.
Here's Carrier IQ's most recent statement, issued last night:
Operators Use Carrier IQ Software Only to Diagnose Operational Problems on Networks andMobileDevices.
Mountain View,CA– December 1, 2011 – To clarify misinformation on the functionality of Carrier IQ software, the company is updating its statement from November 23rd 2011 as follows:
We measure and summarize performance of the device to assist Operators in delivering better service.
While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.
“Having examined the Carrier IQ implementation it is my opinion that allegations of keystroke collection or other surveillance of mobile device user’s content are erroneous,” asserts Rebecca Bace of Infidel Inc. a respected security expert.
Privacy is protected. Consumers have a trusted relationship with Operators and expect their personal information and privacy to be respected. As a condition of its contracts with Operators, CIQ operates exclusively within that framework and under the laws of the applicable jurisdiction. The data we gather is transmitted over an encrypted channel and secured within our customers’ networks or in our audited and customer-approved facilities.
Carrier IQ is aware of various commentators alleging Carrier IQ has violated wiretap laws and we vigorously disagree with these assertions.
Our software makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the Operators provide optimal service efficiency. We are deployed by leading Operators to monitor and analyze the performance of their services and mobile devices to ensure the system (network and handsets) works to optimal efficiency. Operators want to provide better service to their customers, and information from the device and about the network is critical for them to do this. While in-network tools deliver information such as the location of calls and call quality, they do not provide information on the most important aspect of the service - the mobile device itself.
Carrier IQ acts as an agent for the Operators. Each implementation is different and the diagnostic information actually gathered is determined by our customers – the mobile Operators. Carrier IQ does not gather any other data from devices.
CIQ is the consumer advocate to the mobile operator, explaining what works and what does not work. Three of the main complaints we hear from mobile device users are (1) dropped calls, (2) poor customer service, and (3) having to constantly recharge the device. Our software allows Operators to figure out why problems are occurring, why calls are dropped, and how to extend the life of the battery. When a user calls to complain about a problem, our software helps Operators’ customer service more quickly identify the specific issue with the phone.