Android researcher: Carrier IQ 'diagnostic' tool really a rootkit spy

A researcher claims software installed on many smartphones could be used to obtain sensitive information on users. Carriers deny the possibility.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
5 min read
Carrier IQ markets its software as a "mobile service intelligence solution" on its Web site. "We give wireless carriers and handset manufacturers unprecedented insight into their customers' mobile experience."
Carrier IQ markets its software as a "mobile service intelligence solution" on its Web site. "We give wireless carriers and handset manufacturers unprecedented insight into their customers' mobile experience." Carrier IQ

Android developer Trevor Eckhart recently noticed something odd on several EVO HTC devices: hidden software that phoned home to the carrier with details about how the phone was being used and where it was.

The software, Carrier IQ, tracked the location of the phone, what keys were pressed, which Web pages were visited, when calls were placed, and other information on how the device is used and when.

Eckhart discovered that Carrier IQ can be shown as present on the phone to users or configured as hidden, which was the case on the HTC phones he analyzed. And he found what he described as "leaked training documents" that indicate that carriers can view customer usage information via a remote portal that displays devices by equipment ID and subscriber ID.

"The only way to remove Carrier IQ is with advanced skills," Eckhart wrote in a report, published on the Web on Monday. "If you choose to void your warranty and unlock your bootloader you can (mostly) remove Carrier IQ."

Sprint, meanwhile, "has no privacy policy, retention policy, or public information on what they use the data for," Eckhart wrote.

HTC Android devices have no on-off switch for Carrier IQ, while Samsung devices do, but it is not easily accessible or pointed out to users, he said.

Because customers do not give explicit permission for this data collection and don't even know this software is on their phones, and they can't opt out of it, Eckhart says it is a clear privacy violation. He likens Carrier IQ to malware.

"Carrier IQ is rootkit software," he wrote in his report. "It listens on the phones for commands contained in 'tasking profiles' sent a number of ways and returns whatever 'metric' was asked for."

According to Wikipedia, a rootkit is software "that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications." Typically, hackers install a rootkit onto a target system by exploiting a software vulnerability or using a stolen password. They are characterized by stealth and malicious purpose.

Definitions aside, the types of data gathered is enough to set off alarms for privacy minded folk.

"If it's just for 'network performance' why wouldn't they give users a choice?" Eckhart said in an e-mail to CNET late last night. "Any program logging this extent of personal information should always be opt-in."

A Sprint spokesman provided a general statement about the use of Carrier IQ, but did not provide comment to follow-up questions about whether customers know about the data collection and why they can't opt out. Here is the Sprint statement:

"Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint.

Sprint maintains a serious commitment to respecting and protecting the privacy and security of each customer's personally identifiable information and other customer data. A key element of this involves communicating with our customers about our information privacy practices. The Sprint privacy policy makes it clear we collect information that includes how a device is functioning and how it is being used. Carrier IQ is an integral part of the Sprint service."

Carrier IQ representatives said the data carriers collect with their software has a legitimate purpose and is handled responsibly.

"We are collecting information that would be regarded by most people as sensitive," Andrew Coward, vice president of marketing for Carrier IQ, told CNET today. "So we work within the network of the operator or in the facilities [they approve] and which are up to their standards as far as data retention" and encryption.

Mountain View, Calif.-based Carrier IQ launched six years ago expressly to offer software that serves as an "embedded performance management tool," he said.

"This has caught us off guard in that the technology has been around a long time," he added. "We're in the business of counting things that happen on the phone to help carriers improve service."

For example, knowing exactly where a phone call was dropped can help a carrier identify network troubles in a geographic location. "We do want to know when you've had a dropped call, if an SMS didn't work and if you've got battery life problems," Coward said.

Information on keys that are pressed and how many times the phone is charged can provide activity information over the life of a phone, which is important for device manufacturers, he said.

"We are not interested and do not gather the text or the text message and do not have the capacity to do that," he said. Processing specific data like that from millions of devices would be impractical to do, he said.

In addition, the data logged is not real-time in Carrier IQ, which diminishes its usefulness, and carriers have other ways of getting sensitive user data if they want, according to Coward.

"You can't make a phone call on the mobile network without them knowing where you are," he said. "Our customers believe that they have obtained permission from their customers to gather this performance data."

But Eckhart questioned the legality of carriers collecting keypresses and some of the other information. "As far as Sprint, the data they are logging is very personal," he said in his e-mail. "How do we know who is getting this? Every customer service personnel? Law enforcement? Is my location and browsing history stored forever?"

It's unclear what devices have Carrier IQ software installed. Coward said Carrier IQ is used by more than a dozen device manufacturers, including smartphones and tablets, but he declined to name the companies or devices.

Eckhart names HTC, Samsung, Nokia, BlackBerry, Sprint, and Verizon in his report on Carrier IQ. HTC did not respond to requests for comment and a Samsung representative said she would try to get comment. But a Verizon representative said the company does not use Carrier IQ on its devices and Coward confirmed that. (Eckhart's report linked to this Verizon Web page that talks about collecting data on phone location, Web sites visited and other information.) Eckhart did not immediately respond to e-mails and phone calls seeking a follow-up interview today.

In the paranoid world of security researchers, the notion of privacy is nine-tenths perception and potential. Carriers should make it clear what data they are collecting and what benefit doing so provides to the customers. And, if possible, it should be opt in.