Smartphone Invader Tracks Your Every Move - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

Smartphone Invader Tracks Your Every Move

Carrier IQ software, installed on more than 141 million mobile phones, tracks GPS location, websites visited, search queries, and all keys pressed.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Software on many smartphones is tracking every move and website visited, without the knowledge of the phone's user. And that information is being collected by a little known company, which could be sharing it with law enforcement agencies without requiring a subpoena and without keeping a record of the query.

That's among the conclusions that can be drawn from the discovery of a rootkit that's running on a number of Verizon and Sprint phones, which tracks not just phone numbers dialed, but also the user's GPS coordinates, websites visited, keys pressed, and many website searches, according to security researcher Trevor Eckhart. He discovered the rootkit after tracing suspicious network activity in a data center that he manages, and which he suspected related to a virus infection.

But he traced the activity back to software made by Carrier IQ, which describes its "mobile service delivery" software as being a tool for measuring smartphone service quality and usage using software embedded in handsets. "The Carrier IQ solution gives you the unique ability to analyze in detail usage scenarios and fault conditions by type, location, application, and network performance while providing you with a detailed insight into the mobile experience as delivered at the handset rather than simply the state of the network components carrying it," according to the website.

[ Security is always a battle, but sometimes the good guys forge ahead. Read Duqu Malware Detection Tool Released. ]

Carrier IQ software runs on 141 million handsets. In the United States, it ships installed by default on many handsets sold via Sprint and Verizon, and runs on a number of platforms, including Android, BlackBerry, and Nokia smartphones and tablets. Rather than carriers using Carrier IQ software to collect data and then store it themselves, it appears that Carrier IQ handles both the data collection and related analytics. According to the company's privacy and security policy, "information transmitted from enabled mobile devices is stored in a secure data center facility that meets or exceeds industry best practice guidelines for security policies and procedures." The policy doesn't detail those policies and procedures.

Eckhart said in an interview that the software is often configured by carriers to hide its presence from users. That means it functions per the Wikipedia definition of a rootkit: "Software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications." The software, however, doesn't have to be stealthy. Eckhart said that the default version of Carrier IQ "makes its presence known by putting a checkmark in the status bar," and can generate surveys if calls get dropped or browsers crash unexpectedly, to help engineers identify the underlying problem.

Still, after reviewing public-facing training videos he found online, Eckhart said he was alarmed to see just how much data was being gathered by Carrier IQ, and how easily it could be searched en masse--all of which makes him suspicious about how the data is being used. "If this was just legit use, say monitoring dropped calls, why would all on/off switches be stripped and made completely invisible? Users should always have an option to 'opt-in' to a program. There are obviously other uses," he said. "It is a massive invasion of privacy."

Carrier IQ makes the information it collects available to its customers via a portal. Eckhart said in a blog post that "from leaked training documents we can see that portal operators can view and [search] metrics by equipment ID, subscriber ID, and more." As a result, anyone with access to the portal can "know 'Joe Anyone's' location at any given time, what he is running on his device, keys being pressed, applications being used," he said.

Carrier IQ spokeswoman Mira Woods said, "Our customers select which metrics they need to gather based on their business need--such as network planning, customer care, device performance--within the bounds of the agreement they form with their end users. These business rules are translated into a profile, placed on the device which provides instructions on what metrics to actually gather."

She said that all collected data gets transmitted by Carrier IQ to carriers using a "secure encrypted channel," at which point they typically use it for customer service or analyzing network performance. "The further processing or reuse of this data is subject to the agreement formed between our customer and their end user (of the mobile device) and the applicable laws of the country in which they are operating," she said.

One concern for privacy advocates, however, is that carriers apparently share information of the type collected by this software freely with law enforcement agencies. Notably, research published by privacy expert Christopher Soghoian in 2009 found that Sprint had shared customers' GPS location information with law enforcement agencies more than 8 million times over a 13-month period. Sprint had also developed tools to automatically fulfill the large volume of law enforcement agency requests, which seem to occur in a legal gray area that results in none of the requests or shared data queries being recorded.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aleee
50%
50%
Aleee,
User Rank: Apprentice
3/22/2012 | 11:44:09 AM
re: Smartphone Invader Tracks Your Every Move
Smartphones use career IQ software on their user Mobiles, they even see their contact list chat log through these software, they main intent that they put that software on user account to analyze the from which region there most of the customer and what kinda App they most like. This help these Smart-phone companies to make their Marketing Plan. Most of the other companies are offering App for different smartphones like Blackberry Spy which help them to track down any person activities.
k0nane
50%
50%
k0nane,
User Rank: Apprentice
11/16/2011 | 6:45:57 PM
re: Smartphone Invader Tracks Your Every Move
Edit 8:39pm GMT-6 11/16/11:

Comment deleted.

EDIT 12/4/2011:

Hi InformationWeek readers! I originally deleted this comment after getting in touch with Mr. Schwartz about some items found in his original article, but removed a note about that after being made aware of the pricy lawsuit threats flung at my fellow developer. In order to protect myself, I chose to bide my time until the threats were made public, at which point there would be essentially no risk to others. I would like to thank Mr. Eckhart for voluntarily taking the risk upon himself, and the EFF for aligning with him. I did not have the protection of the EFF at the time, which influenced my decision.

I would like to note that I never "moved on" at any point - I have been continuing to look into Carrier IQ behind the scenes, and have been providing assistance as necessary to other prominent researchers.

I can be contacted regarding Carrier IQ and other issues via email at [email protected], via Twitter (@k0nane/@publik0) or via PM on irc.irondust.net. For members of the media, other contact methods are available upon request.
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Commentary
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Commentary
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Slideshows
Flash Poll