Carrier IQ software, installed on more than 141 million mobile phones, tracks GPS location, websites visited, search queries, and all keys pressed.

Mathew J. Schwartz, Contributor

November 15, 2011

7 Min Read

10 Companies Driving Mobile Security

10 Companies Driving Mobile Security


10 Companies Driving Mobile Security (click image for larger view and for slideshow)

Software on many smartphones is tracking every move and website visited, without the knowledge of the phone's user. And that information is being collected by a little known company, which could be sharing it with law enforcement agencies without requiring a subpoena and without keeping a record of the query.

That's among the conclusions that can be drawn from the discovery of a rootkit that's running on a number of Verizon and Sprint phones, which tracks not just phone numbers dialed, but also the user's GPS coordinates, websites visited, keys pressed, and many website searches, according to security researcher Trevor Eckhart. He discovered the rootkit after tracing suspicious network activity in a data center that he manages, and which he suspected related to a virus infection.

But he traced the activity back to software made by Carrier IQ, which describes its "mobile service delivery" software as being a tool for measuring smartphone service quality and usage using software embedded in handsets. "The Carrier IQ solution gives you the unique ability to analyze in detail usage scenarios and fault conditions by type, location, application, and network performance while providing you with a detailed insight into the mobile experience as delivered at the handset rather than simply the state of the network components carrying it," according to the website.

[ Security is always a battle, but sometimes the good guys forge ahead. Read Duqu Malware Detection Tool Released. ]

Carrier IQ software runs on 141 million handsets. In the United States, it ships installed by default on many handsets sold via Sprint and Verizon, and runs on a number of platforms, including Android, BlackBerry, and Nokia smartphones and tablets. Rather than carriers using Carrier IQ software to collect data and then store it themselves, it appears that Carrier IQ handles both the data collection and related analytics. According to the company's privacy and security policy, "information transmitted from enabled mobile devices is stored in a secure data center facility that meets or exceeds industry best practice guidelines for security policies and procedures." The policy doesn't detail those policies and procedures.

Eckhart said in an interview that the software is often configured by carriers to hide its presence from users. That means it functions per the Wikipedia definition of a rootkit: "Software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications." The software, however, doesn't have to be stealthy. Eckhart said that the default version of Carrier IQ "makes its presence known by putting a checkmark in the status bar," and can generate surveys if calls get dropped or browsers crash unexpectedly, to help engineers identify the underlying problem.

Still, after reviewing public-facing training videos he found online, Eckhart said he was alarmed to see just how much data was being gathered by Carrier IQ, and how easily it could be searched en masse--all of which makes him suspicious about how the data is being used. "If this was just legit use, say monitoring dropped calls, why would all on/off switches be stripped and made completely invisible? Users should always have an option to 'opt-in' to a program. There are obviously other uses," he said. "It is a massive invasion of privacy."

Carrier IQ makes the information it collects available to its customers via a portal. Eckhart said in a blog post that "from leaked training documents we can see that portal operators can view and [search] metrics by equipment ID, subscriber ID, and more." As a result, anyone with access to the portal can "know 'Joe Anyone's' location at any given time, what he is running on his device, keys being pressed, applications being used," he said.

Carrier IQ spokeswoman Mira Woods said, "Our customers select which metrics they need to gather based on their business need--such as network planning, customer care, device performance--within the bounds of the agreement they form with their end users. These business rules are translated into a profile, placed on the device which provides instructions on what metrics to actually gather."

She said that all collected data gets transmitted by Carrier IQ to carriers using a "secure encrypted channel," at which point they typically use it for customer service or analyzing network performance. "The further processing or reuse of this data is subject to the agreement formed between our customer and their end user (of the mobile device) and the applicable laws of the country in which they are operating," she said.

One concern for privacy advocates, however, is that carriers apparently share information of the type collected by this software freely with law enforcement agencies. Notably, research published by privacy expert Christopher Soghoian in 2009 found that Sprint had shared customers' GPS location information with law enforcement agencies more than 8 million times over a 13-month period. Sprint had also developed tools to automatically fulfill the large volume of law enforcement agency requests, which seem to occur in a legal gray area that results in none of the requests or shared data queries being recorded. Eckhart said the information being collected by Carrier IQ was even more expansive than what Sprint had shared in 2009. "We can see from the dashboard that GPS data can be viewed historically or in real time by date, time, whatever. That makes for a very efficient law enforcement portal, just like what's detailed being blatantly abused in Soghoian's article. It also relates to how Verizon is gathering info for their new ad tracking program," he said. "Things like exact keypress data being stored as well shows this. What use would what words I'm typing ever be to 'network performance'? Maybe words per minute would be useful, but it's not that--it's an exact record of what you are typing."

Verizon has publicly acknowledged that it uses Carrier IQ statistics, both for mobile usage information (device location, app and feature usage, and website addresses, which may include search string) as well as consumer information (use of Verizon products and services, as well as demographic information, such as gender, age, and dining preferences). It also offers customers a way to opt out of this usage.

Meanwhile, "Sprint is known to collect Carrier IQ data because users have the application running reporting to them, but have no privacy policy, retention policy, or public information on what they use the data for," said Eckhart.

But Sprint spokesman Jason Gertzen said via email that Sprint uses the information for diagnostic purposes. "Carrier IQ provides information that allows us to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring," he said. "The information collected is not sold and we don’t provide a direct feed of this data to anyone outside of Sprint."

Deactivating installed Carrier IQ software can be difficult, at least as implemented by many carriers. While Samsung Android devices offer a somewhat hidden Carrier IQ on/off switch, HTC Android devices offer no such feature. Accordingly, if you buy an ex-Sprint phone off of eBay and Carrier IQ software is installed, you're being tracked, said Eckhart. But Carrier IQ's Woods said that her company's software is set to disable data collection if the device's SIM card or mobile carrier changes.

How can you determine if the software is running on a device? "Logging TestApp scanner will detect it in the kernel--use 'Check Props' feature--as well as files used in the regular Loggers scan," said Eckhart. He's the developer behind Logging TestApp, which can also be used to reveal the Carrier IQ menus often hidden by carriers when they roll out the application.

If Carrier IQ is found and isn't wanted, deleting it can also be difficult. "The only way to remove Carrier IQ is with advanced skills. If you choose to void your warranty and unlock your bootloader you can (mostly) remove Carrier IQ," he said. "Logging TestApp can identify files used in logging and you can manually patch or use [the] Pro version to automatically remove [them]."

Android expert Tim Schofield has also released a YouTube video showing how to remove Carrier IQ from the Samsung Epic 4G running Android Gingerbread 2.3.5, but warned that it would require flashing the ROM. "What [Carrier IQ] does is log things you do and send it to Sprint, so it's like a spyware thing that you don't want on your phone," he said.

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights