The Web is abuzz about a newly revealed privacy threat to smartphone users––a "keystroke logger" program from a company named Carrier IQ that constantly runs in the background, without the user's knowledge. The software records personal information and events ranging from phone numbers dialed to the content of text messages and information typed in to presumably secure websites.
Researcher Trevor Eckhart discovered the Carrier IQ software running on an HTC Evo smartphone from Sprint and posted a YouTube video detailing his finding. But Eckhart does not limit his finger pointing to this Android-powered smartphone. At the beginning of the video he states that the Carrier IQ software can also be found on BlackBerry and Nokia phones.
Yet beyond an esoteric fix suggested by Engadget––a solution that is beyond the capabilities of most consumers––it appears that there is little that average smartphone users can do to disable the Carrier IQ software on their devices right now.
Meanwhile, responses to the video have been numerous, and have been both supportive of Eckhart's finding and contrarian.
It has been reported by The Houston Chronicle and others, for example, that Carrier IQ denies the validity of Eckhart's video and wants additional third-party corroboration of his findings, that HTC says the software is installed because carriers want it to be, and that Sprint asserts no personal information is sent to the carrier because the software is used strictly to analyze cellular network performance.
In his Twitter feed earlier today, Verizon Wireless spokesman Jeffrey Nelson stated that the Carrier IQ software is not on any of that carrier's handsets. And Apple said in a statement sent today to the All Things D blog that it "stopped supporting Carrier IQ" in its latest iOS 5 mobile operating system "in most of our products" and plans to remove any remaining traces of the Carrier IQ software in a future iOS update. In its story, the Chronicle reported finding Carrier IQ in an iPhone running iOS 5, but said that it was disabled unless the user selected in the Settings menu to have the device send diagnostic data to Apple. In that case, Apple says, the data sent to the company is anonymized.
But Stephen B. Wicker, a professor of electrical and computer engineering at Cornell University in Ithaca, NY, and an expert in cellphone security technology, strenuously challenges the assertion that any such data is anonymous. "Carrier IQ claims that the collected data is 'anonymized.' Let's give this a moment's thought," he says. "How hard would it be to de-anonymize a pile of text messages between me and my wife? My mother? My children? Banking IDs with passwords? Since Carrier ID tracks keystrokes, it has the potential to capture passwords and banking data that are normally encrypted prior to transmission through the cellular network. This is my worst nightmare," he says.
Wicker's book "Cellular Convergence and the Death of Privacy" is scheduled to be published late next year by Oxford University Press. "When combined with the concept of cellular convergence––ever increasing numbers of information processing tasks performed on the cellular platform––Carrier IQ stands out as an immense threat to individual privacy," he adds. "As a professor who studies electronic security, this is everything that I have been working against for the last 10 years. It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention."
In fact, Sen. Al Franken (D-MN) today called on Carrier IQ to clearly explain the software and its privacy implications to consumers. In a statement on his website, Franken said, "Consumers need to know that their safety and privacy are being protected by the companies they trust with their sensitive information. The revelation that the locations and other sensitive data of millions of Americans are being secretly recorded and possibly transmitted is deeply troubling. This news underscores the need for Congress to act swiftly to protect the location information and private, sensitive information of consumers. But right now, Carrier IQ has a lot of questions to answer.”
See the video below for a full demonstration of how Carrier IQ is capturing information.
"Is my cell phone bugged?"
From Kevin D. Murray on December 02, 2011 :: 11:24 am
“Is my cell phone bugged?” is a question I hear all the time. Business clients to family members are concerned about spyware.
It prompted me to write a book called “Is My Cell Phone Bugged?” (published in June). It gives the average person simple diagnostic checklists and tests to perform so they can answer the question themselves. Other chapters demystify other spy tricks, and provide tips on bullet-proofing a smartphone against future attacks.
The top three tips:
• Start with a clean operating system.
• Password protect your phone.
• Never loan or let the phone out of your control.
Doing these three things alone will reduce the risk by about 75%.
Carrier IQ is now a known issue. At least, now you know who has your data, and why. The spies with less benign motives are the ones to worry about, and their software isn’t as easily exposed.
Kevin D. Murray - CPP, CISM
Eavesdropping Detection and Counterespionage Consulting Services to Business & Government.