An alarming new video published to YouTube this week by a 25-year-old security researcher seems to reveal a piece of hidden software included on virtually all new Android smartphones that records every last keystroke users make, sending the data back to its creator in secret later on.
Called “Carrier IQ,” the software is supposedly meant to help mobile carriers monitor and diagnose problems with their devices. The company that makes the software insists it does not log keystrokes, but 25-year-old Trevor Eckhart seems to have proved that claim quite wrong.
Not only did he demonstrate the software capturing his keystrokes from a text message, it was being recorded even before the message he typed was displayed.
“It should be noticed that, if we scroll down a little further [in the logs], here’s where the message is actually being displayed in the end user’s inbox,” he explained. “So, all of the IQ agent processes is happening before the end user even sees the [text].”
Eckhart also demonstrated how the software can read Internet searches over secure connections, meaning that not even encrypted communications are completely private on Android phones.
“We can see that Carrier IQ is querying these strings over my wireless network [using] no 3G connectivity, and it is reading [a secure communication],” Exkhart explained.
He also showed how, even after opting out of using location identification services, Carrier IQ still sends phone location data to its creators. Additionally, Eckhart illustrates how the software keeps itself hidden, is impossible to remove through stock toolsets, and gives the user no choice in whether it may run in the background.
[...]
“Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart,” the company later said. “We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.”
All of the above was enough for Wired magazine to call Carrier IQ one of the top reasons to “wear tinfoil hats” this holiday season.
Raw Story
I guess I won’t be contacting Venezuela on my cell.
Android, however, is not the only smartphone operating system with security concerns. Earlier this year, researchers Alasdair Allan and Pete Warden discovered that Apple’s iPads and iPhones contain a database with thousands of location points that gets downloaded every time the device syncs with a PC or Mac.
[...]
It includes latitude, longitude, a time stamp, and the IP address for the wireless network the phone was currently accessing.
And as we all know, criminals use burn phones, so what’s the point? Uh-huh. Brave New World.
...but hey, do what you want...you will anyway.
UPDATE: Al Franken to the rescue