The recent revelation that most of us are carrying around smartphones with embedded rootkits is both surprising and not so surprising. It's surprising because it makes you wonder, "How stupid can the carriers be?" It's not surprising in that we know the answer to that.
Here's what the furor is all about: Back in March an Android software developer using the alias "k0nane" noticed something odd: His Sprint-supplied Samsung smartphone included some fairly well hidden software which was always started when the device was booted and was always kept running. Moreover, it was very hard to stop the code.
A bit more sleuthing revealed that the software is called Carrier IQ (supplied by a company of the same name) and is intended to provide wireless service providers with data about the performance of smartphones for planning and diagnostic purposes.
Unfortunately the depth of Carrier IQ's data collection isn't restricted to stuff that cell carriers could reasonably want to know. Oh no. The software can collect much more and relay it back to the Carrier IQ mothership.
In other words, this software is an out-and-out rootkit, a hidden piece of code designed to be hidden and capable of monitoring everything that happens on a smartphone, including tracking which applications are run and for how long as well as logging texts and email sent, numbers dialed, XML data read, Web pages loaded ... you name it, Carrier IQ can detect and log it.
Initially a complete picture of what Carrier IQ could do was unclear, but one of its consequences was: The code sucked up significant cycles and killing it off made a significant improvement to the device's battery life!
Over the following months people started to examine Carrier IQ in greater depth and discovered that its implementation was designed to be stealthy and that each vendor had customized the implementation on their own devices. As for what data was collected, that was driven by the carrier sending commands remotely to the devices!
If you are running enterprise IT and care about security and privacy, the revelation that all of your smartphones are effectively loaded with an all-powerful, vendor-sanctioned rootkits has got to be pretty sobering. Not only has your carrier intentionally included a backdoor without telling you, but they've also created the potential for an entry point for hackers and malware that could capitalize on the logging services.
While collecting performance data makes sense for carriers, it's the scope of the data that can be acquired that has everyone so spun, and - and this is the biggie - the fact that you have not given your consent for this data to be collected!
Sign up for CIO Asia eNewsletters.