Carrier IQ Spyware Discovered in Millions of Phones

A member of the XDA Developer community has uncovered a hot potato that now has Senator Al Franken seeking answers from Carrier IQ over its mobile software and reported data collection.

Your iPhone, Nokia, BlackBerry or Android device may or may not have keystroke-sniffing software called Carrier IQ embedded at the root. If the software does reside on your device, then it may be secretly creating logs of everything that's happening on the smartphone at the kernel level, tracking every text message and naughty schoolgirl image sent and received on the device. If the software isn't present, then there's nothing to worry about... at least, for now.

According to Verizon Wireless, it doesn't install Carrier IQ's software on its devices, Nokia claims that its phones have never used the spying rootkit, and RIM denies any installation of the software on its BlackBerry line. The Google Nexus One, Nexus S, Galaxy Nexus, and the original Xoom tablet reportedly do not contain Carrier IQ software either, leading to speculation that -- at least for Android-based devices -- the addition of Carrier IQ comes from OEMs and carriers after Google open-sources Android's code.

What is it?

So what's Carrier IQ and how did it become such a big deal in such a short span of time? Good question. 25-year-old XDA Recognized Developer and IT Director Trevor "TrevE" Eckhart went public with his discovery of Carrier IQ in a 17 minute video released on Tuesday. The demonstration clearly shows every keystroke being sent to the embedded application before a test message, phone call, or Internet data packet leaves the device.

But the controversy surrounding the software began towards the end of October. He discovered the use of Carrier IQ while uncovering holes in HTC's handsets via his own HTC Evo, and then found the rootkit residing on HTC, Nokia, RIM and Samsung devices. Sprint states that the software is used to understand what problems customers are having with the network or devices so the wireless carrier can take action to improve service quality.

"It collects enough information to understand the customer experience with devices on our network and how to devise solutions to use and connection problems," the company said. "We do not and cannot look at the contents of messages, photos, videos, etc., using this tool."

The Carrier IQ website claims that the program has been installed on more than 140 million devices.

According to Eckhart, the stock version of Carrier IQ has surveys users can fill out if they get a dropped call, if the browser ends unexpectedly and so on. It makes its presence known by putting a checkmark in the status bar, meaning by default it's not secretly residing underneath OS layers like a predator waiting to gobble up your information. It's out in the open and in your face.

"This could potentially be pretty useful information from a network administration standpoint, and is made clear to users its running," Eckhart said in his blog. "Unfortunately this is not always the real world case, it can be modified to be completely hidden."

"Carrier IQ is able to query any metric from a device," he added. "A metric can be a dropped call because of lack of service.  The scope of the word metric is very broad though, including device type, such as manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user’s pressing of keys on the device, usage history of the device, including those that characterize a user’s interaction with a device."

He goes on to note that the menus and surveys are completely stripped out in the HTC version, making it impossible for the end user to understand. Ever more, the opt-out feature in the unaltered version is missing, meaning users have no choice but to allow the application to collect the data which will reportedly be sold off to third parties. The application can't even be uninstalled unless the device itself is rooted (mirroring typical OEM and carrier bloatware).

In an initial report from the XDA Developers called "The Rootkit Of All Evil - CIQ," Verizon has reportedly provided customers with the option of opting out of the sale of personal data, but not the collecting aspect. Sprint has denied the existence of Carrier IQ's software on its phones, but then said that it can still collect data from users who purchase a Sprint phone from eBay and use its solely on Wi-Fi without activating service.

The response

Once news stemming from Eckhart and XDA Developers's revealtion began to circulate, Carrier IQ posted a public response (pdf), claiming that it collects only limited "operational information" on devices for its carrier customers. The company also sent Eckhart a Cease and Desist letter (pdf), accusing him of using and redistributing copyrighted and confidential materials without authorization. The company also wanted him to post a public apology stating that all of his findings were essentially wrong.

"We demand that you remove such allegations from the web and cease and desist from making any allegations or passing any false and unsubstantiated public comment directly or indirectly on our company, products, services or companies who use our technology," the letter reads. It goes on to state that he has 24 hours to comply or else he will be sued for up to $150,000, the allowed maximum allowed under U.S. copyright law per violation.

Smelling foul play, the Electronic Frontier Foundation jumped to Eckhart's aid which enabled him to upload his video demonstration to YouTube (seen below). The EFF fired back to Carrier IQ (pdf) saying that the materials in question are freely available to the public on the Internet, and that their claims against Eckhart "are entirely baseless."

"Mr. Eckhart used and made available these materials in order to educate consumers and security researchers about the functionality of your software, which he believes raises substantial privacy concerns," the EFF's letter reads. "Mr. Eckhart’s legitimate and truthful research is sheltered by both the fair use doctrine and the First Amendment."

The EFF goes on to state that, because Carrier IQ failed to back its claims of false allegations, that the information provided in Eckhart's findings are likely true. "If you are able to specify any statement that you believe is false, Mr. Eckhart will be happy to provide you with the documentation of that finding," the letter reads. "Moreover, your client is a public figure. Under well-established Supreme Court precedent, commentary and criticism regarding Carrier IQ’s professional activities receive additional protections under the First Amendment, because there is a heightened public interest in facilitating such speech."

"Given that there is no basis for your legal claims, we must conclude that your threats are motivated by a desire to suppress Mr. Eckhart’s research conclusions, and to prevent others from verifying those conclusions."

Carrier IQ followed up with a public apology to Eckhart (pdf), saying that it "would have been better served by reaching out to Mr. Eckhart to establish a dialogue in the first instance."

Is it wiretapping?

Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School, told Forbes that the findings have enough ground to file a class action lawsuit based on a federal wiretapping law.

"If Carrier IQ has gotten the handset manufactures to install secret software that records keystrokes intended for text messaging and the Internet and are sending some of that information back somewhere, this is very likely a federal wiretap," he said. "And that gives the people wiretapped the right to sue and provides for significant monetary damages."

The iPhone has it too

While most of the coverage over the last month has centered on Android, BlackBerry, Symbian and webOS handsets, a report surfaced that signs of Carrier IQ can be found in Apple's 3.1.3 and later. The rootkit was discovered by well-known iPhone hacker Chpwn who later said it's present in all versions of iOS, even iOS 5. The Verge backs up this claim -- at least with iOS 3.1.3 -- reporting that references to Carrier IQ's servers reside in a file located at /usr/bin/IQAgent. There are also references to an IQAgent log on the device as well as references to collector.sky.carrieriq.com.

In a post at MacRumors, forum member Intell points to Carrier IQ references in iOS 4.0 and 5.0 "On iOS 4 or greater, open the /usr/bin/awd_ice2 or awd_ice3 file in TextEdit and search for the following phrase carrieriq.com," the forum post reports. "You'll come across many references to http://collector.sky.carrieriq.com:7001/collector and other Carrier IQ sites. On iOS versions older then iOS 4, the binary file to search is IQAgent. To disable this on iOS, remove the following LaunchDaemons from /System/Library/LaunchDaemons/ if you have them: com.apple.iqagent.plist, com.apple.awd_ice2.plist, and com.apple.awd_ice3.plist. This applies to the iPad, iPhone, and iPod Touch."

But there's good news for iPhone owners: Carrier IQ can be disabled. "Up through and including iOS 5, Apple has included a copy of Carrier IQ on the iPhone," chpwn writes in his blog. "However, it does appear to be disabled along with diagnostics enabled on iOS 5. Older versions may send back information in more cases. Because of that, if you want to disable Carrier IQ on your iOS 5 device, turning off 'Diagnostics and Usage' in Settings appears to be enough."

Full disclosure

Now we've come to the conclusion of this story... at least for now. The latest installment of the Carrier IQ saga sees Senator Al Franken, Chairman of the Senate's subcommittee on Privacy, Technology, and Law, sending a letter to Carrier IQ's CEO (pdf) asking what the software actually does. More specifically, he wants to know what it collects, what it sends, where it sends the data, how long the data is stored once it's received, and how the data is protected once stored.

"Consumers need to know that their safety and privacy are being protected by the companies they trust with their sensitive information," said Sen. Franken. "The revelation that the locations and other sensitive data of millions of Americans are being secretly recorded and possibly transmitted is deeply troubling. This news underscores the need for Congress to act swiftly to protect the location information and private, sensitive information of consumers. But right now, Carrier IQ has a lot of questions to answer."

The senator is giving Carrier IQ until December 14, 2011, to answer his questions. Until then, we'll likely hear more about the software and additional responses from the company. In the meantime, Android device owners can check to see if Carrier IQ is installed on their device (despite what carriers and manufacturers may say) by downloading this app developed by Eckhart. Unfortunately, it only works on rooted devices.

"This app has started to turn into a full security suite," he states. "It can be used to verify what logging is being done on your phone and where data is going to. It will assist you in manually removing parts you do not running, or you can go pro for automatic everything (and support me)." 

Update

Read the latest update on the Carrier IQ saga here.

_{(Spying man image from Shutterstock)}