Carrier IQ: Bug made some keypresses, message data accessible

In a 19-page report from Carrier IQ, the company explains what information it does and does not collect and finally offers an explanation of why research posted by security expert Trevor Eckhart showed the software reacting to keypresses and revealing location data.

In short, they said it wasn’t their fault. “Our investigation of Trevor Eckhart’s video indicates that location, key presses, SMS and other information appears in log files as a result of debug messages from pre-production handset manufacturer software,” the company said in a statement. “Specifically, it appears that the handset manufacturer software’s debug capabilities remained ‘switched on’ in devices sold to customers.” The company also acknowledged that, due to a bug in its software, some text messages may have been included in some of its data if, for example, calls and text messages were made at the same time. “SMS messages may have unintentionally been included in the layer 3 signaling traffic and are not human readable,” the company said in its report. Carrier IQ asserted that “no multimedia messages, e-mail, web, application, photo, voice or video” has been captured because of the bug and that its software cannot read or copy the content of Web sites. It also denied that the program, as designed, captures keystrokes or the content of SMS messages. Data is held for an average of 24 hours, the company said, and can’t be read without Carrier IQ’s own tools.