Wed November 30, 2011
Security Expert Finds Secret Software On Phones Logs Nearly Everything
That headline is pretty spectacular, but the software researcher Trevor Eckhart found in his HTC Android phone does just that. Eckhart posted a video on YouTube on Monday showing how the software works:
Here's how CNET describes it today:
In the nearly 20-minute video clip, Eckhart shows how software developed by mobile-device tracker Carrier IQ logs each keystroke and then sends them off to locations unknown. In addition, when Eckhart tried placing a call, Carrier IQ's software recorded each number before the call was even made.
Eckhart started making waves across the privacy community earlier this month after he dug into software developed by Carrier IQ that, he said, runs behind the scenes in Android-based devices to track what users are doing. Eckhart called the software a "rootkit," due to its ability to access device data while concealing its presence.
In a statement, the company that makes Carrier IQ disputes that this is spy software. It says that the software is designed for diagnostic purposes and does not "record your keystrokes" and does not "provide tracking tools."
Wired reports that Eckhart's video "clearly undercuts that claim," because it shows the software logging key strokes even before they are displayed on the screen.
The Register reports the software has been found on a variety of phones including Blackberrys, Nokias and other Android-powered phones. The software has not been found on iPhones.
But to be honest I think the part that worries me the most is, well, how hard is it to hack into this? To access that information if you're not in fact the network? If it is possible to access this information (and I'd be absolutely astonished if it were not) then this means that absolutely every smartphone running it is vulnerable, to put it mildly, to data theft.
For yes, if you online bank from your phone then the application will be logging that data, pins, ID codes and all.
That's really not something you want, is it? An application sitting on your phone that records all of these things specifically and exactly so as to broadcast them to someone else?
Dan Rosenberg, a security researcher, wrote today that the Carrier IQ claims "are mostly exaggerated."
"After reverse engineering Carrier IQ myself, I have seen no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data," he writes. "There's a big difference between 'look, it does something when I press a key' and 'it's sending all my keystrokes to the carrier!'. Based on what I've seen, there is no code in CarrierIQ that actually records keystrokes for data collection purposes."