Everybody's talking about smartphones — from apps to picking which northern California technology company will claim your allegiance. Unfortunately, everybody who's got a smartphone … probably has Carrier IQ spying on them …
A security researcher has posted a video detailing hidden software installed on smart phones that logs numerous details about users' activities.
In a 17-minute video posted Monday on YouTube, Trevor Eckhart shows how the software -– known as Carrier IQ -– logs every text message, Google search and phone number typed on a wide variety of smart phones – including HTC, Blackberry, Nokia* and others – and reports them to the mobile phone carrier.
The application, which is labeled on Eckhart's HTC smartphone as "HTC IQ Agent," also logs the URL of websites searched on the phone, even if the user intends to encrypt that data using a URL that begins with "HTTPS," Eckhart said.
The software always runs when Android operating system is running and users are unable to stop it, Eckhart said in the video.
"Why is this not opt-in and why is it so hard to fully remove?" Eckhart wrote at the end of the video.
In a post about Carrier IQ on his website, Eckhart called the software a "rootkit," a security term for software that runs in the background without a user's knowledge and is commonly used in malicious software.
Eckhart's video is the latest in a series of attacks between him and the company. Earlier this month, Carrier IQ sent a cease and desist letter to Eckhart claiming he violated copyright law by publishing Carrier IQ training manuals online. But after the Electronic Frontier Foundation, a digital rights group, came to Eckhart's defense, the company backed off its legal threats.
The Electronic Frontier Foundation said the software that Eckhart has publicized "raises substantial privacy concerns" about software that "many consumers don't know about."
iPhone? Android? Blackberry? All of 'em are equally vulnerable to this pernicious invasion of privacy (even though tests showed the new Amazon Kindle Fire was free of this surprise). At least you can detect and maybe remove Carrier IQ if you're willing to "root" your Android phone. An article at the Huffington Post outlines some of the ways users can find out whether they're being snooped, while Gizmodo has a list of phones that are free from the infection.
What's so wrong with a little bit of software? Mashable has some ideas …
- It's hidden. Short of rooting, or removing certain software safeguards to obtain “administrator” access to your phone, it's almost impossible to know if it's there.
- It's everywhere. The software reportedly exists on millions of handsets on several carriers, including many Android phones and even some versions of the iPhone.
- It's not opt-in. Without the user's explicit approval, the software is enabled and gathering data on the phone.
- It's voracious. According to Trevor Eckhart, who created the recent explosion of attention on Carrier IQ with a video he posted on YouTube earlier this week, the software logs every keystroke and incoming text message. However, there's some question about how much of this information is actually sent to the carriers.
What are they doing with all this data? The company said in a PDF that they're only, "counting and summarizing performance, not recording keystrokes or providing tracking tools." An independent mobile security company said in a blog, "It doesn't appear that they are sending your keystrokes straight to the carriers."
The company admitted that their software — installed on (get this) 150 million phones — could conceivably log web usage, phone numbers, text messages and even keystrokes and literally everything you do … but they're totally not doing that. You can trust them, right?
Add to that the fact that it was revealed that a number of Android phones (including the Motorola Droid X and the Samsung Epic 4G) have security hole big enough to drive a Quinjet through, not enforcing permissions and letting untrusted applications could send SMS messages, record conversations and execute other potentially malicious actions without user consent and you've got one wild week in mobile insecurity. Be careful out there!