Carrier IQ software accused of tracking phone users

Carrier IQ has been in the Internet spotlight in the last few days. The Mountain View, California based company creates software that is used in millions of smartphones, including Android and Blackberry-based devices. Carrier IQ claims the software is used to monitor "the performance of mobile devices and networks to assist operators and device manufacturers in delivering high quality products and services to their customers."

But according to a security researcher who looked into the Carrier IQ software, it may be doing far more than that. The researcher, Trevor Eckhart, claimed that Carrier IQ's program was logging every keystroke made by a user on a smartphone that had the software installed. Indeed, he posted a video to YouTube that seems to show that Carrier IQ's application, IQRD, is logging every single button that is pressed into his HTC-based smartphone, even those buttons found on the phone's touch screen. Also, the program cannot be shut off by any known means without replacing the entire operating system.

At first, Carrier IQ objected to Eckhart's accusations and even sent him a cease-and-desist letter. However the company later pulled that letter and apologized to Eckhart. Carrier IQ still insists that its smartphone program does not log keystrokes or have any tracking tools. It also claims the program doesn't look at any email or text messages generated on smartphone nor does it provide any real time data from a user's smartphone to any of its customers.

Despite Carrier IQ's statements, the fact that the program cannot be shut off or deleted by a smartphone user without taking some drastic measures is troubling. So far, Carrier IQ has given no indication that a user can opt out of having that information gathered by the program.

Report a problem with article
Previous Story

Gaming news round-up: November 30

Next Story

Every Windows Phone now receiving Mango update

31 Comments

Commenting is disabled on this article.

I bet this software is the reason carriers always have to "approve" software updates on their Android phones: so they can add a rootkit to the ROM. Absolutely ridiculous.

So far, it seems to only affect US carriers. I guess that means we're safe up here in Canada. I wouldn't be surprised at all though if Rogers, Bell, and Telus included the software on their phones.

Samsung galaxy s2, sim free, O2 contract..no reference to iqrd in my phone.

Don't know whether to breath a sigh of relief or if it's just got a different name! I want that crap off my phone though.

"Worth noting that it appears that nothing gets submitted to Carrier IQ if you opt-out with the “Send Automatically” switch in Settings.

If there anything in Cell Phone contracts that even mentions this software and if not isn't that a violation of some privacy law somewhere.

Another comment I've read is that this is mistakenly being turned into Apple vs Android battle when it's not it's the mobile providers doing this. However my comment stands from earlier, Apple cache cell towers and that was the 2nd coming of the devil and the media jumps on it. Now it;s more than one company up to shenanigans media coverage has been distinctly ...meh

GawD DAMNIT Neowin. Where's the rest of the comment I wrote.... (2nd bleeding edit)

Edited by shifts, Dec 1 2011, 10:06am :

I wonder what all the Android fans and other Apple haters have to say about this. If you watch the video, you will be surprised how the software logs every keystroke. And messages sent over https are displayed in plain text. This is blatant logging and no wonder the company involved denies this, even after the video shows what is happening.

Being a fan of Android doesn't mean you hate Apple. Also, the Carrier IQ software is on hundreds of millions of devices which include Android, BlackBerry, and Nokia devices. The software is also found in various versions of iOS; however, it isn't as "bad" as other platforms. And from what I've read, no information is sent to Carrier IQ by default in iOS 5.

You can read more information about Carrier IQ in iOS here: http://blog.chpwn.com/post/13572216737

Drewidian said,
And yet the military chose to go with the least secure platform... SMH...

You really think the military has carrieriq on their approved devices? Dear god...

Yeah, it looks like Windows Phone 7 is 100% free of Carrier IQ. It looks like carriers and OEMs are responsible for bundling the software onto smartphones before selling them. Perhaps they don't have a version that's compatible with Windows Phone 7. Either that, or Microsoft simply won't allow any tracking/logging software on WP7 devices.

Anaron said,
Microsoft simply won't allow any tracking/logging software on WP7 devices.

That is not their own. I opt in to the customer experience improvement program all the time.

I'm amazed at the lack of outcry about this. "Apple's location brouhaha wasn't even about GPS data it was only a cache of cell tower locations. The problem isn't that the news media aren't sensationalizing this Carrier IQ story. The problem is that they would if it involved Apple."

Edited by shifts, Dec 1 2011, 9:06am :

shifts said,
I'm amazed at the lack of outcry about this. "Apple's location brouhaha wasn't even about GPS data it was only a cache of cell tower locations. The problem isn't that the news media aren't sensationalizing this Carrier IQ story. The problem is that they would if it involved Apple."


Well said. There would have been a huge outcry if this was happening on an iPhone.

Anaron said,
I don't think it's getting enough attention on the web. You'd think a story like this would go viral. After all, it's about privacy and it affects millions of people. It should be on the front page of every tech/mobile news site.

Also, here's the source of your quote: http://daringfireball.net/link...30/imagine-if-it-were-apple

I was having problems at the time of posting. Thanks for posting the link to the mighty DaringFireball

Edited by Yusuf M., Dec 1 2011, 10:54am :

shifts said,
I was having problems at the time of posting. Thanks for posting the link to the mighty DaringFireball
No problem. I also fixed your comment. You replied by typing inside the quote box. At first, it looked like you just quoted me without adding anything.

I think, for whatever reason, this isn't being reported because it's being done by service providers as opposed to manufacturers. This is obvious due to my HTC Desire Z from Bell Canada not having anything like this on it, despite being filled with other crap. For whatever reason, it seems the media isn't intent on calling out a company like AT&T, perhaps due to the massive lawsuits this could cause?

flexkeyboard said,
If you have carrier android and ios, then you know you're being tracked. Root it to remove it, up to the challenge?

I'd be up for the challenge if I was affected.

Its in my Samsung Galaxy S II (SGH-T989D..Telus Canada) which is identical to the T-Mobile T989. The rom developers have basically found that only the american models are affected by this garbage. There was a tiny amount in our Kernel but it was dormant.

My phone is currently giving 2.5 days of battery with moderate usage, vs the 12-24 hours before after stripping this malware out.

Imo, Jailbreaking/Rooting/etc is the only way to get good value out of a phone nowadays.

Anaron said,
How difficult was it to remove the Carrier IQ software?

Once rooted it's a 1 minute task to uninstall the apps. I personally didn't have to do it (UK) but it's relatively simple.

The article doesn't mention that, despite the CarrierIQ statement on SMS and calls, it has been shown in the video that, infact, IQRD logs them before they are even shown to the user.

Wow. This is kinda scary. From what I've read on the web, Google's line of Nexus phones (Nexus One, Nexus S, & Galaxy Nexus) don't have the Carrier IQ software. Also, Microsoft's Windows Phone 7 OS does not contain references to the software; however, Apple's iOS and most carrier-backed Android devices do. And aside from this article, I haven't read anything about the software on BlackBerry smartphones.

If all of this turns out to be true, then Carrier IQ and any carrier that adds the software to their phones should be held accountable.

Anaron said,
iOS and most carrier-backed Android devices do.

iOS includes a Carrier IQ daemon, but it doesn't seem to log any particularly sensitive information. Nothing gets submitted to Carrier IQ if you opt-out with the “Send Automatically” switch in Settings > General > About > Diagnostics & Usage. On iOS it even shows the logs it sends so you can examine what info is sent if you like.

parisp said,

iOS includes a Carrier IQ daemon, but it doesn't seem to log any particularly sensitive information. Nothing gets submitted to Carrier IQ if you opt-out with the “Send Automatically” switch in Settings > General > About > Diagnostics & Usage. On iOS it even shows the logs it sends so you can examine what info is sent if you like.

I read about that earlier. It's great that iOS has that option and it shouldn't send anything by default.