Secret Data and Keystroke-Logging Software Revealed on Millions of Smartphones


  • Posted on November 30, 2011 at 12:42pm by Liz Klimas

Most of us don’t know exactly what software is installed on our phones when we purchase them. All that seems to matter is that it works. But when Android developer Trevor Eckhart found software installed on many popular mobile devices that logs every single one of your keystrokes — phone numbers dialed, text messages, encrypted web searches, etc. — people started to listen.
Last week, Wired reported that Eckhart had found a program called Carrier IQ installed rather secretly on smartphones; its a program that can track almost anything happening on your mobile phone. Carrier IQ threatened Eckhart, who had posted research and manuals on his website, saying he was in breach of copyright law and could face financial charges. But Eckhart didn’t back down.
In fact, Eckhart has released a new video and research showing Carrier IQ at work on a phone, according to Wired. The company’s website says the program is used to give “manufacturer’s unprecedented insight into their customer’s mobile experience.” Wired states that Carrier IQ said the software is used to gather “information off the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life” — not logging keystrokes.
But Eckhart‘s demonstration shows otherwise:

Now, as Eckhart notes in the video, his demonstration is shown on an HTC phone but he mentions he’s seen such software on other phones like Android, Blackberry, Nokia and more. Eckhart describes the software on his website as a “rootkit“ that is ”enabling someone continued privileged access to our computers“ and is ”hidden in nearly every part of our phones.”

Here's how Carrier IQ works according to the company website. (Image: Carrier IQ)

Wired and Eckhart are unsure of how this software is covered under a privacy policy.
“If HTC’s privacy policy doesn’t cover the information collected by Carrier IQ, it’s unclear whose privacy policy does,” Eckhart wrote on his website. “Carrier IQ has a minimal privacy policy (http://carrieriq.com/company/privacy.htm), but it says, ‘Our products are designed and configured to work within the privacy policies of our end customers[.]‘ So whose policy covers this data — Carrier IQ, or the phone manufacturer, or the carrier? Nobody knows for sure.”
Eckhart writes, “An application should never be this hard to fully remove for security reasons — especially out of contract — when it serves no good purpose for the user, and its use should be opt-in ONLY.”
Last week, Wired reported that the Electronic Frontier Foundation came to Eckhart‘s rescue when he was threatened with legal action by Carrier IQ:
“I’m mirroring the stuff so other people are able to read this and verify my research,” he said. “I’m just a little guy. I’m not doing anything malicious.”
The company is demanding Eckhart retract (.pdf) his “rootkit” characterization of the software, which is employed by most major carriers, Eckhart said.
The EFF says Eckhart’s posting of the files is protected by fair use under the Copyright Act for criticism, commentary, news reporting and research, and that all of Carrier IQ’s claims and demands are “baseless.” (.pdf)
[...]
Marcia Hofmann, an EFF senior staff attorney, said the civil rights group has concluded that “Carrier IQ’s real goal is to suppress Eckhart’s research and prevent others from verifying his findings.”
Wired had the opportunity to interview Carrier IQ’s marketing manager Andrew Coward who said the company should have control of distributing materials. Coward did acknowledge that if they wanted to look at text messages the probably could, but that wasn’t the point of the program, which is designed for metric analysis.
Afterward, Carrier IQ released a message of apology to Eckhart, CNET reported:
“Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart,” the company said in response to the EFF’s letter. “We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.”
It did use this apology as another opportunity to say that the company does not use the software to record keystrokes, provide tracking tools, inspect or report content of communications, or provide real-time data to any customer.
Sprint admitted to CNET that it was a Carrier IQ customer but sides with the software company in that it doesn’t use the data to spy on customers but to “understand device performance.”
http://www.theblaze.com/stories/secr...f-smartphones/