2011-11-30



Back in October, a story ran on XDA Developers about software running on HTC Android phones called Carrier IQ (CIQ) that appeared to be collecting a fair amount of data about your device and not doing a good job of storing it securely.  Beyond your device ID, it collected phone numbers, geo-location and account names. Since that initial discovery, there’ve been reports of it being even more invasive, leading Carrier IQ to issue a Cease and Desist letter and denying what it does.

When Trevor Eckhart (TrevE) wrote about what he discovered, calling it a rootkit, Carrier IQ was quick to send a Cease and Desist letter, claiming that they don’t record as much information as TrevE is reporting.  That’s when the Electronic Frontier Foundation got involved on TrevE’s behalf.   CIQ quickly backed down and issued a press release stating that the CIQ software doesn’t do all that.  They claim they don’t record keystrokes, provide tracking tools nor inspect the content of your communications (emails and SMS).

Of course, that didn’t stop TrevE.  He’s just put out another video that appears to prove all those claims wrong.  In the video, TrevE is quick to point out that while he’s using an HTC phone, the software is also present on other devices.  People on XDA Developers have found it on a number of devices from multiple manufacturers.  The software appears to be embedded at the kernel level, making it almost impossible to completely remove.  In fact, while the IQRD app can be seen in the Android task manager, it’s impossible to issue a force quit on it.

YouTube video link

In the above video TrevE uses his factory reset HTC Android device to demonstrate what Carrier IQ does.  In the first few minutes, he actually sets up his phone to decline all geo-location services, as well as declines any geo-location, social networking  or OEM debugging information.  In short he runs the phone at a bare minimum, and uses Android’s USB debugging tool to see what’s happening on his phone.  CIQ’s IQRD application runs in the background and records the following…

geo-location of phone

hardware button presses

application launches

individual key presses

email and SMS content

data recording in a supposedly secure HTTPS session (recorded unencrypted by IQRD)

In short, it records just about everything you do with your phone, and that information is unencrypted.  While he presses keypad numbers to demonstrate that IQRD records the information, he doesn’t actually make a phone call.  The IQRD application does have permission to record audio on your phone though.

Since TrevE’s initial findings, the software has also been found Android devices by other manufacturers including Samsung, as well as on Blackberry and Nokia Symbian devices.  In fact, Carrier IQ’s home page shows a running total that as of this writing stated that it was on over 141 million phones, with a new device being added every second.  There’s no definitive list of partners available, but Carrier IQ is known to be on Sprint and Verizon phones, and Carrier IQ has partnerships with Vodafone Portugal as well as hardware makers NEC and Huawei.  Out of the other major OSes, it appears that both iOS and Windows Phone are free of Carrier IQ software. UPDATE: according to one blogger, CIQ is also on iOS devices, but he has posted an easy way to disable it, unlike Android.

From the Carrier IQ home page:

Carrier IQ is the leading provider of Mobile Service Intelligence Solutions to the Wireless Industry.  As the only embedded analytics company to support millions of devices simultaneously, we give Wireless Carriers and Handset Manufacturers unprecedented insight into their customers’ mobile experience.

Unprecedented sounds about right, when you record everything your phone does.  While I’m not implying that CIQ is doing anything malicious with the information, and Carrier IQ claims they don’t sell it to 3rd parties, I’m skeptical when I see the term “market researchers” in their press releases (PDF link).

Whenever you set up your phone with accounts, be it from the OS maker, hardware manufacturer, or a 3rd party app, you’re generally greeted with permissions pages, asking you whether the software can collect information.  You’re given the choice.  With CIQ, there’s no way to opt out, and since CIQ isn’t your carrier, the device maker or the OS maker, it’s unclear exactly what privacy policy this falls under.

Ultimately, end users should know what exactly their phones are logging, and what bits of privacy they’re giving up and to whom.  The very existence of Carrier IQ flies in the face of that.

Additional updates:  According to this Globe and Mail report, neither RIM nor any of the big three Canadian wireless carriers make use of the Carrier IQ service.

Show more