Is Carrier IQ a keylogger installed on 145 million phones?

by Kieran Healy on November 30, 2011

While you have to ask carefully if you want family-planning advice from Siri, owners of Android, BlackBerry and Nokia phones may be facing other problems. According to this report in Wired, Trevor Eckhart, a security researcher in Connecticut, has found that third-party performance- and usage-monitoring software installed by default on millions of Android-based handsets sees every user action and—possibly, because I’m not sure based on the video whether this part has been demonstrated—logs and transmits it to the software maker, Carrier IQ. A video made by Eckhart (see below) shows the Carrier IQ process seeing Eckhart’s Google search of “hello world.” David Kravets’ Wired Story continues:

That’s despite Eckhart using the HTTPS version of Google which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google. Cringe as the video shows the software logging each number as Eckhart fingers the dialer. “Every button you press in the dialer before you call,” he says on the video, “it already gets sent off to the IQ application.” From there, the data — including the content of text messages — is sent to Carrier IQ’s servers, in secret.

This is frankly astonishing if it turns out to be true. Carrier IQ’s own website proudly announces, via a rolling counter on its front page, that it is installed on over 141 million phones. If they are logging and especially sending any data of this sort of granularity back to Carrier IQ’s servers routinely—text messages, web searches, numbers dialed—it’s hard to see how this won’t be an enormous scandal. You may recall Apple’s Locationgate scandal earlier this year, when it was found that iPhones were locally caching fairly coarse-grained location data based on cell-tower proximity (though not sending that data back to Apple). This seems orders of magnitude more severe than that—real tinfoil-hat stuff.

A Carrier IQ press release from earlier this month denies that their software is logging or transmitting keystrokes or user actions in this sort of detail:

Carrier IQ delivers Mobile Intelligence on the performance of mobile devices and networks to assist operators and device manufacturers in delivering high quality products and services to their customers. We do this by counting and measuring operational information in mobile devices – feature phones, smartphones and tablets. This information is used by our customers as a mission critical tool to improve the quality of the network, understand device issues and ultimately improve the user experience. Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment. While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools. The information gathered by Carrier IQ is done for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3 parties. The information derived from devices is encrypted and secured within our customer’s network or in our audited and customer-approved facilities.

This denial was explicitly reiterated by the company in a release retracting a cease-and-desist letter to Eckhart that it had issued in response to some of his earlier work.

The video does appears to show that, at a minimum, Carrier IQ’s software has access to the user’s searches, text messages, and other keystrokes. (Skip to 8:40 or so for the guts of the demonstration.) The real question now is determining what the application does with that sort of access—how much of the user’s behavior is actually logged, at what level of detail that logging happens, and what is subsequently transmitted anywhere. This is what’s still not clear to me from the video. Automatic third-party access to all user actions, even if there is subsequent picking-and-choosing about what to log and what to send, seems bad enough in the absence of explicit permission from the user. And of course if Carrier IQ’s software turned out to actually be transmitting much or all of what it saw—well it’s hard to see how that would be legal. So I await further developments with interest.

{ 29 comments }

1

Adam 11.30.11 at 8:14 pm

I’m surprised this was able to be installed on millions of phones without being found out before now.

2

Tim Worstall 11.30.11 at 8:22 pm

The comments section at El Reg is interesting on this.

http://forums.theregister.co.uk/forum/1/2011/11/30/smartphone_spying_app/

3

Watson Ladd 11.30.11 at 8:33 pm

The customer is of course the telephone carrier, not the person with the phone. I blame the US market for cellphones: because most cellphones are issued by the carrier, they view this as their revenue stream, not actually selling minutes.

4

rageahol 11.30.11 at 9:25 pm

“By the way, it cannot be turned off without rooting the phone and replacing the operating system.”

pwned.
thank FSM for CyanogenMod.

5

Randolph 11.30.11 at 10:01 pm

Under what law is it illegal?

There is also HtcLogger, see.

6

PD 11.30.11 at 10:28 pm

@ Randolph – The Electronic Communications Privacy Act of 1986

7

dangermouse 11.30.11 at 10:50 pm

Under what law is it illegal?

Nonsequitur says what

8

Billikin 11.30.11 at 11:42 pm

“This is frankly astonishing if it turns out to be true.”

Not to me. {sigh}

9

Satan Mayo 12.01.11 at 12:57 am

Paraphrases:

Comment 2: “Well, of course this is going to happen in this sort of business model.”

Comment 3: “Fortunately, techno wizards like myself can find ways around this. Problem solved.”

Comment 4: “Well, of course this is going to happen. It’s not illegal.”

Comment 6: “Sigh, of course this is going to happen. What kind of naive person would be surprised?”

10

Satan Mayo 12.01.11 at 1:02 am

“2” is now 3. “3” is now 4. “4” is now 5. “6” is now 8.

11

john b 12.01.11 at 1:25 am

So this summarises as “Mobile phone operators install software on users phones that helps them monitor the performance of their network; paranoid loonies have a toy-pram-throwing party”, right?

12

Kieran Healy 12.01.11 at 1:53 am

right?

No. As Gruber suggests, “From what I can see, Eckhart’s picture of exactly how Carrier IQ works is incomplete. But I’m pretty sure he’s onto something here. The best-case scenario he paints is still rather alarming. The worst-case scenario is that people working at your phone carrier, using Carrier IQ’s portal software, can watch what you’re doing on your phone as you do it.”

13

polyorchnid octopunch 12.01.11 at 1:58 am

Finding out what it’s sending shouldn’t be too difficult. If you have root on the phone I’m sure software can be built to tell you exactly what’s going out over the wire… a custom set of ssl libraries would almost certainly do the job. The person doing it would have to be an expert in that area, but it’s not like they don’t exist. Heck, depending on how they have it set up, running something like tshark on the router may tell you everything and would tell you a lot.

There are plenty of ways to monitor network performance that are completely adequate to the job of managing capacity and efficiency that don’t require logging access to the hosts that in the final analysis are not the property of the carrier. However, I can see how this tool might allow them to cut labour costs for the people that you have to have keeping an eye on things. That could be the motivation… or at least is one of them.

That said, (and this is mostly aimed at johnb) there is a wide swath of people who seem to care deeply if the state knows anything about them but don’t seem to have any problems with the almost constant examination of their personal lives that occurs by private parties. I’m not any more comfortable about privately owned non-human persons having all that data on than the ostensibly publicly owned non-human person called the state having it… and in some ways a lot less comfortable. At least I can exert some influence on the state at the ballot box, or by joining a party.

We’re about to get a set of terrible laws around that stuff in my country. Just terrible. Go google “Canada bill c-10″, especially the parts about mandatory police access for ISPs.

14

Down and Out of Sài Gòn 12.01.11 at 2:44 am

That said, (and this is mostly aimed at johnb) there is a wide swath of people who seem to care deeply if the state knows anything about them but don’t seem to have any problems with the almost constant examination of their personal lives that occurs by private parties.

Especially private parties in foreign countries like the United States.

15

The Raven 12.01.11 at 4:22 am

’twasn’t my intention to make excuses for this–it’s noxious. I’m just not sure it’s illegal.

“All your passwords are belonging to us?”

16

Curmudgeon 12.01.11 at 5:28 am

I’m amazed that anyone would be surprised by this. Walled garden devices that don’t allow administration by the user must have administration backdoors that give the service provider unlimited access to the device and any data it contains. There’s nothing stopping any service provider from pushing a firmware or OS update that mines user data any time they feel like it and no reason to assume they wouldn’t mine user information the moment management decided it was profitable to do so.

17

daelm 12.01.11 at 6:30 am

“pwned.
thank FSM for CyanogenMod.”

+1000

18

Matt 12.01.11 at 7:10 am

That said, (and this is mostly aimed at johnb) there is a wide swath of people who seem to care deeply if the state knows anything about them but don’t seem to have any problems with the almost constant examination of their personal lives that occurs by private parties.

People who feel this way should consider that law enforcement agencies in the USA and likely elsewhere can ask for that privately collected data any time they like. A lot of businesses don’t even have enough spine to require a court order to hand over such data. The private panopticon is just one small step away from being an off-the-books extension of the government panopticon.

19

maidhc 12.01.11 at 9:28 am

One thing that has been mentioned is that it’s only because Android provides more user control than other phones that he was able to detect and potentially neutralize it. On a Blackberry or iPhone you might not even be able to see it was there. 140 million phones is more than the number of phones on which it’s been found so far.

Another report says that removing Carrier IQ has a noticeable effect on battery life.

20

Alex 12.01.11 at 10:33 am

This story has been running for a little while. Unrelatedly, my HTC Wildfire S ate its SD card today, so I may get enough tuit to reflash it with Cyanogen and incidentally dispatch CarrierIQ and HTCLogger.

21

Kieran Healy 12.01.11 at 11:58 am

On a Blackberry or iPhone you might not even be able to see it was there.

As it turns out, a version of the software is installed on iOS, too, but you’re asked whether you want it to send diagnostic information when setting up the phone and you can disable it whenever you like through a preference option. It also seems not to log any especially sensitive information.

22

Martin Bento 12.01.11 at 9:48 pm

While we’re noticing “paranoid fantasies” that are actually true, the US Senate is trying very hard to expand War on Terrorism rules – no trial, no lawyer, no right to ever be freed, etc. – to US soil and US citizens. Trying hard as in 60 Senators explicitly voted not to strike the specific provision. To his great credit and my surprise, Obama has promised a veto, and most of the TLA bigwigs are coming out opposed. But the issue and the determination behind it are very scary.

http://www.slate.com/articles/news_and_politics/jurisprudence/2011/11/citizen_detainment_why_is_the_senate_so_determined_to_allow_the_u_s_military_to_arrest_and_detain_americans_.single.html

23

Watson Ladd 12.02.11 at 6:22 am

Matt,

The issue isn’t “what can the state find out about me?”. Clearly everything if they have a good enough reason. The issue is “how easy is it to round up all the X for unpopular group X?”. No matter how much information private businesses have, they remain unable to commit genocide. Now, this intuition might have been truer in the days of the telephone as the most advanced networking technology, but the idea behind it is sound. We cannot live without social interactions that reveal things about us. How do we deal with a world in which those traces can be largely reassembled? One way is restricting the power of those who do the assembly.

24

novakant 12.02.11 at 12:27 pm

To his great credit and my surprise, Obama has promised a veto

Well, Obama has already executed a US citizen without trial, not to speak of all the foreign nationals that the US military and intelligence services kill on a regular basis.

25

Martin Bento 12.02.11 at 7:25 pm

True. Nonetheless, he does appear to be willing to prevent it becoming routine, at least if the top brass back him up on it. We’ve seen three big veto threats from Obama lately: this one, full extension of Bush tax cuts, and modify the sequester (meaning, remove the military cuts). The threat would probably be enough, but would he actually follow through if he had to? If so, I would say the need for re-election has greatly improved the man, and I can now support him again, though with a wary eye.

Not meaning to derail the thread, but it seems to have petered out anyway.

26

Andrew F. 12.03.11 at 1:29 pm

Privacy laws in the US seem to be about three decades behind the technology. And while privacy vis-a-vis the government has long been a well examined subject of policy debates and actions, I don’t think that privacy vis-a-vis business has received anywhere close to sufficient policy attention or action.

I am far more confident in my protections against privacy intrusions by the government than the intrusions of various businesses who bury the consumer in unread User Agreements.

Lawsuits against this company have undoubtedly already been filed, and sadly I’m dubious as to their ultimate merit.

27

ba 12.03.11 at 1:33 pm

Martin Bento,
Greenwald reckons Obama’s translation of already extant provisions already permits him to do much of what the new ones would. He can be overlord of all in the planet, without this.

He is posturing for the election.

28

Nuremburg Judge 12.03.11 at 10:10 pm

“This denial was explicitly reiterated by the company in a release retracting a cease-and-desist letter to Eckhart that it had issued in response to some of his earlier work.”

The scary thing is, they actually tried to silence the guy by threatening him with lawyers.

29

Shining Raven 12.04.11 at 10:43 pm

The scary thing is, they actually tried to silence the guy by threatening him with lawyers.

But of course they only did it to help him evaluate his communications performance under unfavorable circumstances – that’s what they do as an analytics and communications consulting company. And they haven’t even charged him any money for their services!

Comments on this entry are closed.