The bad news is that yes, Carrier IQ is running on iPhones right now, as we speak. Carrier IQ, you’ll recall is the rootkit that Carriers put on many of their phones to monitor customer usage. As a security researcher found out, Carrier IQ monitors keystrokes and sends that back to its own servers. On Apple’s devices, it appears to have been cut off from such activities. Developer chpwn breaks it down:
Carrier IQ, the now infamous “rootkit” or “keylogger”, is not just for Android, Symbian,BlackBerry, and even webOS. In fact, up through and including iOS 5, Apple has included a copy of Carrier IQ on the iPhone. However, it does appears to be disabled along with diagnostics enabled on iOS 5; older versions may send back information in more cases. Because of that, if you want to disable Carrier IQ on your iOS 5 device, turning off “Diagnostics and Usage” in Settings appears to be enough.
So it appears that on iOS it stores less information, and it doesn’t seem to be sending anything as long as ‘Diagnostics and Usage’ (iOS 5) is turned off – which is the default (you are asked to enable it during the iOS5 setup). On older versions of iOS, especially v3, it appears to be sending data without a toggle.
Verizon representatives have said that they do not run Carrier IQ on their devices which include iPhones, iPads, and Android, Blackberry and other devices. Other carriers have yet to make a statement on the matter but Carrier IQ brags on its homepage that it tracks information on 141 million devices (and counting) which is about half of the US population.
On iPhones where Carrier IQ is activated, it appears to send the following information back to the servers:
- your phone number
- your carrier
- your country
- active phone calls
- (However, I only saw it noting that a phone call was active, not what number was dialed or it was received from. But, I am not going to claim it doesn’t do that: it’s certainly possible, but didn’t see it.)
- your location (Only, however, if Location Services are enabled.)
- (Possibly more I haven’t yet found.)