Security researcher: Android software ‘Carrier IQ’ records communications
If you own a smartphone, your device knows who your friends and family are. It knows where you are, where you’re going and, chances are, what you’ll be doing next. It even knows what you’re typing before you type it. But, what else could these devices know about their users?
An alarming new video published to YouTube this week by a 25-year-old security researcher seems to reveal a piece of hidden software included on virtually all new Android smartphones that records every last keystroke users make, sending the data back to its creator in secret later on.
Called “Carrier IQ,” the software is supposedly meant to help mobile carriers monitor and diagnose problems with their devices. The company that makes the software insists it does not log keystrokes, but 25-year-old Trevor Eckhart seems to have proved that claim quite wrong.
Not only did he demonstrate the software capturing his keystrokes from a text message, it was being recorded even before the message he typed was displayed.
“It should be noticed that, if we scroll down a little further [in the logs], here’s where the message is actually being displayed in the end user’s inbox,” he explained. “So, all of the IQ agent processes is happening before the end user even sees the [text].”
Eckhart also demonstrated how the software can read Internet searches over secure connections, meaning that not even encrypted communications are completely private on Android phones.
“We can see that Carrier IQ is querying these strings over my wireless network [using] no 3G connectivity, and it is reading [a secure communication],” Exkhart explained.
He also showed how, even after opting out of using location identification services, Carrier IQ still sends phone location data to its creators. Additionally, Eckhart illustrates how the software keeps itself hidden, is impossible to remove through stock toolsets, and gives the user no choice in whether it may run in the background.
Eckhart’s first video triggered an angry reaction from Carrier IQ because he called the software a “rootkit” and republished training materials freely offered on Carrier IQ’s website. They threatened legal action, but after the Electronic Frontier Foundation (EFF) stepped up in his defense, they backed off.
“Eckhart concluded that the software, which comes by default on many mobile devices and runs quietly in the background, logs extensive details about users’ activities,” the EFF noted. “Eckhart not only documented the functionality of the software, but learned even more about how it works through training materials posted on the Carrier IQ website. Fearing the company would take the files offline after he posted his analysis, he mirrored the training materials to let others independently verify his conclusions.”
“Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart,” the company later said. “We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.”
All of the above was enough for Wired magazine to call Carrier IQ one of the top reasons to “wear tinfoil hats” this holiday season.
In a press release (PDF) following Eckhart’s first video, Carrier IQ insisted the software does not record keystrokes or inspect the content of communications.
“Our software is designed to help mobile network providers diagnose critical issues that lead to problems such as dropped calls and battery drain,” they claimed.
Android, however, is not the only smartphone operating system with security concerns. Earlier this year, researchers Alasdair Allan and Pete Warden discovered that Apple’s iPads and iPhones contain a database with thousands of location points that gets downloaded every time the device syncs with a PC or Mac.
The unencrypted file, named “consolidated.db,” seems to be first created when user downloads and installs iOS 4 software to the device. It includes latitude, longitude, a time stamp, and the IP address for the wireless network the phone was currently accessing.
Watch Eckhart’s second video, below.