Carrier IQ Software May Not Record Messages But It's a Privacy Risk

According to security consultant Dan Rosenberg, the Carrier IQ spyware in his Samsung Epic 4G is not recording his text keystrokes. Rosenberg also claims that Carrier IQ cannot record SMS text bodies, emails or web page contents:

CarrierIQ cannot record SMS text bodies, web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so. There is simply no metric that contains this information.

This contradicts the findings by Trevor Eckhart, who analyzed the live Carrier IQ debug logs in two different HTC phones.

Rosenberg says that, at least on his Samsung, Carrier IQ can't record keystrokes except for those used while dialing phone numbers. It can record GPS location and URLs, even secure ones, however. According to him, HTC should fix the debug logs shown by Eckhart, which are a major privacy risk too.

The conclusion: even without text logging, Carrier IQ is accessing some private information without warning the user and without any easy way to deactivate it. There are no excuses for this abuse. It's just wrong and needs to be fixed now. [Vulnfactory via Cnet]