Search This Blog

Thursday, December 1, 2011

Millions of Smartphones Come With Spyware Preinstalled, Security Analyst Says

Security researcher Trevor Eckhart demonstrates how Carrier IQ logs keystrokes on his Android smartphone

Over 100 million smartphones are tracking their owners’ every step, Android developer Trevor Eckhart claimed, thanks to software that comes preinstalled on phones from most major carriers.

During a security demonstration revealed on Monday, Eckhart showed how software developed by Carrier IQ tracks virtually everything a user does -- going as far as logging individual keystrokes and button presses. The company claims it helps its customers improve quality and performance “by counting and measuring operational information in mobile devices.” Security experts call it spyware.

I assume that when I SMS my wife on the phone, no one is intercepting that message," Chet Wisniewski of security firm Sophos told FoxNews.com. He called the whole ordeal is a "serious invasion of privacy."

Why do they need to know when I'm logging into Bank of America, when I'm accessing my password? It's a different level of snooping," he said.

Developed as a mobile analytics platform, Carrier IQ's software can be found on most Android, BlackBerry and Nokia phones -- over 140 million phones in total, the company's website boasts. Some reports suggest Apple iPhones may carry the software as well.

The company has flat out denied that its software records keystrokes, a claim Eckhart’s latest video seems to refute.

Every button you press in the dialer before you call,” Eckhart says in his latest video, “it already gets sent off to the IQ application.”

Eckhart did not return FoxNews.com phone calls, and Carrier IQ declined to comment on his claims. A statement on the company's website reiterates the company's claims that its software does not track customers or record keystrokes.

This information is used by our customers as a mission critical tool to improve the quality of the network, understand device uses and ultimately improve the user experience,” the company said. By evaluating these metrics, Carrier IQ aims to help with issues such as “dropped calls and battery drain.”

In videos showing Carrier IQ at work, Eckhart showed it going beyond such utilitarian monitoring. He showed Carrier IQ’s software monitoring entire text messages, a Google search, and his location, even during sessions protected by HTTPS, a security protocol that encrypts communications for sensitive transactions like online banking.

Sprint has acknowledged using Carrier IQ's software, but denies having access to personal data.

Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service," Sprint told CNET earlier this month. "We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool," Sprint continued.

While Wisniewski understands the needs for data and metrics, he believes carriers must be more forthcoming about how they are monitoring their users, what data they are collecting, and how they are protect that data.

If you're going to collect that kind of information from people, you have to meet a different standard," Wisniewski told FoxNews.com.

But for now, most users are stuck, unable to even turn off or uninstall the program.

The Carrier IQ application is embedded so deeply in the device that it can't be fully removed without rebuilding the phone from source code," Eckhart wrote on his website.

"Even where a device is out of contract, there is no off switch to stop the application from gathering data.

No comments:

Post a Comment