Dec 02, 2011

How much of a security risk is there due to Carrier IQ being installed on your mobile phone?

There is a lot of personal data on peoples' smartphone, at least if they use them like I do.  Sprint and AT&T have said they don't look at at messages, videos, photos, etc. , which is good assuming it is true, but does Carrier IQ open your mobile up to being a target for hackers and the like?  How much concern is reasonable over having software that logs everything you do from the websites you visit to the content of your text messages?

Well if it's an iPhone you can easily turn it off. It's more complicated though if you are using an Android phone.

Here's a good article that includes a video that covers what Carrier IQ can do.

Carrier IQ Video Shows Alarming Capabilities Of Mobile Tracking Software

"You may be aware of the growing controversy surrounding Carrier IQ, a piece of software found pre-installed on Sprint phones that, according to developers who have investigated, is capable of detecting, recording, and transmitting various user actions and inputs. Among the data CIQ potentially has access to are location, SMS, apps, and key presses.

News of the software has been percolating for months on development forums, but when Trevor Eckhart recently summarized his findings, he found himself facing a cease and desist while Sprint vigorously denied the charges, saying “We do not and cannot look at the contents of messages, photos, videos, etc., using this tool.”

The C&D was quickly retracted, but Eckhart has now released a video that seems to give the lie to both Sprint and Carrier IQ’s assurances."


I think it is reasonable that people are concerned about Carrier IQ basically opening up your smartphone to your provider.  Think of it this way; Would you be concerned if a 3rd party installed a keylogger on your device and had access to it anytime they wished?  Well, Carrier IQ is worse than a simple keylogger:  


"...available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user’s pressing of keys on the device, usage history of the device, including those that characterize a user’s interaction with a device." http://androidsecuritytest.com/features/logs-and-services/loggers/carrie...


So your browsing history and log-in information including passwords is there for the taking?  Ever do any online banking?  Like the idea that your account number and login is within reach of the good people at AT&T, whenever they want it?  Me neither.  Oh sure, AT&T (I'm picking on them because I just wasted 30 mins with their "customer service" last week), good upstanding company that they are, assures us that they aren't using all the data they are able to access.  Sure, for now.  Maybe.  Hmmm, wonder if there could be any dishonest employees at AT&T that may be less pure of intention....  


I didn't sign up to have Big Blue Brother looking over my shoulder.  I think it is imminently reasonable to expect companies to tell us exactly what data they are collecting and that they provide a robust opt-out option for data tracking.  Their customers are people, not lab rats, but if you are going to treat customers as lab rats anyway, at least have the decency to be honest to them about what you are doing.


Answer this