Are Your Smartphone Keystrokes Being Copied and Transmitted?
Are the text messages you type into your Android, Nokia, or BlackBerry smartphone being sent back to your carrier? A security researcher is saying yes.
Developer Trevor Eckhart has recently posted a video showing that software from a company called Carrier IQ sends text messages, encrypted searches, and other user actions to the carrier. Eckhart found out that the information is sent even before a call is made. In the video demonstration, Eckhart noted that "every button you press in the dialer before you call, it already gets sent off to the IQ application." The information is also sent if the user is using Wi-Fi, not the carrier's cell phone network.
Eckhart described the Carrier IQ as a rootkit, and said it cannot easily be removed without reinstalling the operating system.
Carrier IQ, he said, listens on the phones for commands "contained in 'tasking profiles' sent a number of ways and returns whatever 'metric' was asked for." In the video, Eckhart shows keystrokes being made on the demonstrated smartphone, and immediately appearing on another screen, which represents the information being sent by Carrier IQ. The transmissions are also reported to include information about installed apps and battery life.
After he described the software as a rootkit, the Mountain View, Calif.-based Carrier IQ sent him a cease-and-desist letter. The Electronic Frontier Foundation quickly took up his cause, and Carrier IQ has since withdrawn its legal threat.
In a Media Alert posted on its Web site, Carrier IQ said that its software delivers mobile intelligence "on the performance of mobile devices and networks to assist operators and device manufacturer in delivering high-quality products and services to their customers."
The software, the company said, counts and measures "operational information" in mobile devices, which is used to "improve the quality of the network, understand device issues and ultimately improve the user experience." It noted that the software is embedded by device manufacturers, along with other diagnostics, before shipping.
140 Million Devices
Carrier IQ insisted that it is "counting and summarizing performance, not recording keystrokes or providing tracking tools." It added that no personal subscriber information is sold by Carrier IQ to third parties, and that all information is encrypted and secured in the carrier's network and in its "audited and customer-approved facilities."
The software comes pre-installed on 140 million devices made by Samsung, HTC, Nokia and Research In Motion. There are also reports that references to Carrier IQ have been found in Apple's iOS 5, but there is not yet evidence that the software is installed or that it records keystrokes as on devices from other manufacturers.
John Pescatore, an analyst with industry research firm Gartner, noted that, if keystrokes are being sent without a user's permission, "it's a huge issue." He added that it's important to know more details, especially since performance-measurement can mean different things.
Pescatore suggested that Carrier IQ's software might offer "a legitimate kind of function, but they may not have adequately considered privacy issues."
Posted: 2011-12-01 @ 3:13pm PT
This is really carrying away how we as customers are paying for a service and these people are making money on our expenses. No matter what they are doing they should be regulated with the power of the law, punished and shut down.
Posted: 2011-12-01 @ 2:55pm PT
Isn't that a short version of wire-tapping?