Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

How stupid can cell carriers be? Really Stupid.

The recent revelation that most of us are carrying around smartphones with embedded rootkits is both surprising and not so surprising. It's surprising because it makes you wonder, "How stupid can the carriers be?" It's not surprising in that we know the answer to that.

Here's what the furor is all about: Back in March an Android software developer using the alias "k0nane" noticed something odd: His Sprint-supplied Samsung smartphone included some fairly well hidden software which was always started when the device was booted and was always kept running. Moreover, it was very hard to stop the code.

Background: Mobile privacy debate reignites over hidden smartphone app

A bit more sleuthing revealed that the software is called Carrier IQ (supplied by a company of the same name) and is intended to provide wireless service providers with data about the performance of smartphones for planning and diagnostic purposes.

Unfortunately the depth of Carrier IQ's data collection isn't restricted to stuff that cell carriers could reasonably want to know. Oh no. The software can collect much more and relay it back to the Carrier IQ mothership.

In other words, this software is an out-and-out rootkit, a hidden piece of code designed to be hidden and capable of monitoring everything that happens on a smartphone, including tracking which applications are run and for how long as well as logging texts and email sent, numbers dialed, XML data read, Web pages loaded ... you name it, Carrier IQ can detect and log it.

Initially a complete picture of what Carrier IQ could do was unclear, but one of its consequences was: The code sucked up significant cycles and killing it off made a significant improvement to the device's battery life!

Over the following months people started to examine Carrier IQ in greater depth and discovered that its implementation was designed to be stealthy and that each vendor had customized the implementation on their own devices. As for what data was collected, that was driven by the carrier sending commands remotely to the devices!

If you are running enterprise IT and care about security and privacy, the revelation that all of your smartphones are effectively loaded with an all-powerful, vendor-sanctioned rootkits has got to be pretty sobering. Not only has your carrier intentionally included a backdoor without telling you, but they've also created the potential for an entry point for hackers and malware that could capitalize on the logging services.

2011's biggest security snafus

While collecting performance data makes sense for carriers, it's the scope of the data that can be acquired that has everyone so spun, and - and this is the biggie - the fact that you have not given your consent for this data to be collected!

What is the legal risk to all of the carriers that have deployed this software? They are guilty of the federal crime of unauthorized wiretapping and violation of privacy!

The enormity of this whole mess is just starting to come clear as the list of devices Carrier IQ can be found embedded on includes products from Samsung, HTC, Nokia and RIM. According to the Carrier IQ web site, something north of 141 million smartphones are running their software! Can you say "class action"?

When there's such minimal real competition in the service provider market and such minimal external oversight on what the carriers can do, this is what happens. Anyone who thinks that the carriers don't need regulation and that the "free market" organically solves these kinds of problems is living in a dream world.

Gibbs has his data collected in Ventura, Calif. Tell him where you are spied upon at backspin@gibbs.com.

Read more about anti-malware in Network World's Anti-malware section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Carrier, HTC, Nokia, RIM, Samsung, Sprint
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Android, Carrier IQ, consumer electronics, malware, networking, security, smartphones, wireless
Latest Blog Posts
Whitepapers
  • Why performance management? A guide for the midsize organisation
    Midsize organisations are uniquely positioned to take advantage of a performance management approach to business. Compared with larger companies, they have more agility to bring information and people together and respond faster to changing market conditions. With one performance management solution, midsize companies can turn disconnected data into information, turn information into valuable insight and turn insight into action.
    Learn more »
  • Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives
    Service-oriented architecture (SOA) has moved beyond hype to widespread acceptance as an IT strategy for delivering business value. SOA promotes the notion of modularity, providing overwhelming flexibility and superior economics for addressing business demands. However, undertaking the transformation to SOA is not without its challenges. If left unchecked, your inventory of SOA assets will become unmanageable; the reuse of services will diminish in favor of custom development; or even worse, modifications will be made to your existing services that break other business processes. The purpose of SOA governance is to help you ensure that this does not happen. This paper outlines the most compelling reasons for you to establish SOA governance within your organization.
    Learn more »
  • Cloud printing in the enterprise: liberating the mobile print experience from cables, operating systems and physical boundaries
    In recent years mobile technology has proliferated throughout the enterprise. Today, virtually no one in the workforce is bound to a desk to work, check e-mail or communicate with co-workers and customers. At the same time, we’re seeing the rise of cloud technologies, loosely defined as online resources, often provided as a service, that manage the data and software that used to run solely on PCs. This merger of mobile and cloud technologies is on its way to becoming one of most significant enablers of business productivity and innovation seen in the past decade. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.