Is it possible, then, that carriers have in their databases the passwords of every server that every system admin has connected to over ssh from their smartphone?
This may be the heart of the problem. If the databases built with this include keypresses, then when a user logs into a site using https, their credentials are being recorded before they are encrypted. This opens another vector for hackers to get and sell the information for malicious use by surreptitiously acquiring the data from the tier 1 carrier like Sprint or Verizon instead of needing to get it by hacking a bank.
With such a large number of potential victims, it would be difficult to determine if a wave of thefts from a particular institution were the result of the institution's security being compromised or if a CarrierIQ database was compromised.
I develop some on Android and have been aware of this product for many months now but I have no idea what data it collects and transmits. Just what it is capable of. So this may be a non-issue. For now, at least.
Is it possible, then, that carriers have in their databases the passwords of every server that every system admin has connected to over ssh from their smartphone?