Print
Email
Print Edition Stories
The rapidly building Carrier IQ phone spyware scandal proves one thing. We need hackers.
I won’t waste a lot of time describing the details of the Carrier IQ story — suffice to say that the company has put a piece of almost undetectable software on many phones sold by AT&T, Sprint and T-Mobile, and Apple’s iOS-based phones, that will track what seems to be every bit of activity on your phone and send it back to Carrier IQ, which in turn supplies some or all of that data back to the carriers.
If you think that sounds not only immoral but possibly illegal, you aren’t the only one. Apparently a pair of class action lawsuits were filed against Carrier IQ, HTC and Samsung Thursday, alleging violations of the Federal Wiretap Act. But the strong take-away here is that none of this would have come to light without the efforts of Connecticut IT guy Trevor Eckhart, who first discovered that something seemed to be tracking everything he did on his HTC Evo 3D phone last month. While Carrier IQ threatened Eckhart with legal action initially, it was hard to refute the 17-minute video he posted showing how the software tracked every single keystroke he did and every function he performed on the phone.
But why describe him as a hacker? Because the software from Carrier IQ is what is called a rootkit, meaning it functions at the level of the root kernel of the operating system, before any other action called for by the OS takes place, and allows access only to people who know it is there. So the only way to get at the root of most smartphones is to “root” them, or hack them. The OS on nearly all phones is locked down from people trying to make modifications to it beyond those allowed by the cell carrier or the phone maker – which, it turns out, is a great way to hide software used to spy on your users.
If it wasn’t for the community of white-hat hackers that have been rooting smartphones since the first iPhone rolled off the assembly line, we might never have known about this invasion of our privacy. And make no mistake — an invasion is what this is. Even if we take those carriers that admit using Carrier IQ at their word that they don’t use any private data, Carrier IQ still collects it by capturing every single keystroke you make on your smartphone — your bank app password, your login ID for your corporate sales app — everything.
What is to prevent Carrier IQ from selling any of that data to interested parties? Worse, now that criminals know it is being collected at a convenient single repository, how long before Carrier IQ’s servers are riddled with more security holes than Swiss cheese?
I have had a number of background informational chats with tech executives about data security lately, and everyone I have talked to has said that they are really worried about the growth of the use of mobile devices, particularly in the enterprise and with financial information. Security in the mobile space is so far behind the already laughable security of a standard PC connected to the Internet, it makes most corporate IT executives shiver.
So, phone hackers, keep at it. If the ease at which the Murdoch newspapers in the U.K. were able to hack celebrity cellphones didn’t wake us up to the need to fix this problem, what people like Eckhart have done just might. It certainly woke up Sen. Al Franken who has already asked for documents related to the matter from Carrier IQ to be brought before the Senate.
Comments
If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.
RSS Feeds
