As reported in Wired, a new report (together with a related video) shows how software called Carrier IQ is secretly installed on millions of cellphones, with no notice to the users. The software seems clearly to log virtually all actions of the user and deliver the information to the cellphone carrier.
Though the software is installed on most modern Android, BlackBerry and Nokia phones, Carrier IQ was virtually unknown until 25-year-old Trevor Eckhart of Connecticut analyzed its workings, revealing that the software secretly chronicles a user’s phone experience — ostensibly so carriers and phone manufacturers can do quality control.
But now he’s released a video actually showing the logging of text messages, encrypted web searches and, well, you name it.
Eckhart labeled the software a “rootkit,” and the Mountain View, California-based software maker threatened him with legal action and huge money damages. The Electronic Frontier Foundation came to his side last week, and the company backed off on its threats. The company told Wired.com last week that Carrier IQ’s wares are for “gathering information off the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life.”
The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim.
So far it appears to be installed only on Android, Blackberry and Nokia phones. How functions of this software can be squared with so-called cellphone security and encryption is impossible to say. In other words, at least if you have one of the enumerated phones, your data is clearly at risk.
Update: References to Carrier IQ are contained in Apple’s iOS software on iPhones. However, it seems the software is not activated unless the iPhone is placed in diagnostic mode. From The Verge:
chpwn notes that initial research indicated that Carrier IQ’s software may only be active when the iPhone is in diagnostic mode. In a blog post, chpwn confirms that, based on his initial testing, Apple has added some form of Carrier IQ software to all versions of iOS, including iOS 5. However, the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default. Finally, the local logs on iOS seem to store much less information than what has been seen on Android, limited to some call activity and location (if enabled), but not any text from the web browser, SMS, or anywhere else. We’ll let you know when more details arise.
Update 2: From All Things D, comes this statement from Apple:
We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.
Update 3: And now, the lawsuits begin.