Dec 1, 2011

Carrier IQ Logging Software Found on Many Mobile Phones


Over the last couple of days, there has been a significant amount of press over the findings of Trevor Eckhart who exposed the presence of extensive logging software found on many Android, BlackBerry and Nokia phones. A video showing the extent of the logging was posted and is summarized by PCWorld. The software is called "IQRD" by a company called Carrier IQ:

"After connecting his HTC device to his computer, Trevor found that IQRD is secretly logging every single button that he taps on the phone--even on the touchscreen number pad. IQRD is also shown to be logging text messages. 

In the video, Eckhart shows that Carrier IQ is also logging Web searches. While this doesn't sound all that bad by itself, it suggests that Carrier IQ is logging what happens during an HTTPS connection which is supposed to be encrypted information. Additionally, it can do this over a Wi-Fi connection with no 3G, so even if your phone service is disconnected, IQRD still logs the information."

It doesn't seem entirely clear what information is transmitted and used, though the presence of the software itself has generated many privacy concerns. Eckhart noted in his original findings that on his Android HTC phone, there was no way to turn off logging. He also notes that the Carrier IQ application is embedded so deeply that it can't be fully removed without rebuilding the phone from source code. Forbes is suggesting that the company may have even violated wiretapping laws based on its actions. Carrier IQ maintains that its actions are aimed at device performance only. 

Tonight iPhone developer @chpwn reported on Carrier IQ references in Apple's iOS as well, though its logging seems to be much more in line with Carrier IQ's official statements about device performance. Chpwn reports:

"Importantly, it does not appear the daemon has any access or communication with the UI layer, where text entry is done. I am reasonably sure it has no access to typed text, web history, passwords, browsing history, or text messages, and as such is not sending any of this data remotely."

The information logged for iOS seems limited to phone call activity and location (if Location Services are enabled). Also unlike the implementation found on Eckhart's HTC, iOS users can opt out of these diagnostics by simply going to Settings -> General -> About -> Diagnostics & Usage -> Don't Send. The actually logged diagnostic data appears to be fully accessible for perusal in that same setting menu. 

TUAW describes the iOS findings as "probably benign" and consistent with expected network performance diagnostics.




If you found this post useful or interesting, don't forget to press the +1 Button

and leave a comment 

No comments:

Post a Comment