That's among the conclusions that can be drawn from the discovery of a rootkit that's running on a number of Verizon and Sprint phones, which tracks not just phone numbers dialed, but also the user's GPS coordinates, websites visited, keys pressed, and many website searches, according to security researcher Trevor Eckhart. He discovered the rootkit after tracing suspicious network activity in a data center that he manages, and which he suspected related to a virus infection.
But he traced the activity back to software made by Carrier IQ, which describes its "mobile service delivery" software as being a tool for measuring smartphone service quality and usage using software embedded in handsets. "The Carrier IQ solution gives you the unique ability to analyze in detail usage scenarios and fault conditions by type, location, application, and network performance while providing you with a detailed insight into the mobile experience as delivered at the handset rather than simply the state of the network components carrying it," according to the website.
[ Security is always a battle, but sometimes the good guys forge ahead. Read Duqu Malware Detection Tool Released. ]
Carrier IQ software runs on 141 million handsets. In the United States, it ships installed by default on many handsets sold via Sprint and Verizon, and runs on a number of platforms, including Android, BlackBerry, and Nokia smartphones and tablets. Rather than carriers using Carrier IQ software to collect data and then store it themselves, it appears that Carrier IQ handles both the data collection and related analytics. According to the company's privacy and security policy, "information transmitted from enabled mobile devices is stored in a secure data center facility that meets or exceeds industry best practice guidelines for security policies and procedures." The policy doesn't detail those policies and procedures.
Eckhart said in an interview that the software is often configured by carriers to hide its presence from users. That means it functions per the Wikipedia definition of a rootkit: "Software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications." The software, however, doesn't have to be stealthy. Eckhart said that the default version of Carrier IQ "makes its presence known by putting a checkmark in the status bar," and can generate surveys if calls get dropped or browsers crash unexpectedly, to help engineers identify the underlying problem.
Still, after reviewing public-facing training videos he found online, Eckhart said he was alarmed to see just how much data was being gathered by Carrier IQ, and how easily it could be searched en masse--all of which makes him suspicious about how the data is being used. "If this was just legit use, say monitoring dropped calls, why would all on/off switches be stripped and made completely invisible? Users should always have an option to 'opt-in' to a program. There are obviously other uses," he said. "It is a massive invasion of privacy."
Carrier IQ makes the information it collects available to its customers via a portal. Eckhart said in a blog post that "from leaked training documents we can see that portal operators can view and [search] metrics by equipment ID, subscriber ID, and more." As a result, anyone with access to the portal can "know 'Joe Anyone's' location at any given time, what he is running on his device, keys being pressed, applications being used," he said.
Carrier IQ spokeswoman Mira Woods said, "Our customers select which metrics they need to gather based on their business need--such as network planning, customer care, device performance--within the bounds of the agreement they form with their end users. These business rules are translated into a profile, placed on the device which provides instructions on what metrics to actually gather."
She said that all collected data gets transmitted by Carrier IQ to carriers using a "secure encrypted channel," at which point they typically use it for customer service or analyzing network performance. "The further processing or reuse of this data is subject to the agreement formed between our customer and their end user (of the mobile device) and the applicable laws of the country in which they are operating," she said.
One concern for privacy advocates, however, is that carriers apparently share information of the type collected by this software freely with law enforcement agencies. Notably, research published by privacy expert Christopher Soghoian in 2009 found that Sprint had shared customers' GPS location information with law enforcement agencies more than 8 million times over a 13-month period. Sprint had also developed tools to automatically fulfill the large volume of law enforcement agency requests, which seem to occur in a legal gray area that results in none of the requests or shared data queries being recorded.
