back to article BUSTED! Secret app on millions of phones logs key taps

An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users. In a YouTube video posted on Monday, Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ …

COMMENTS

This topic is closed for new posts.

Page:

Unhappy

Yes it's used in the EU

Press release on the CarrierIQ website says that Vodafone Portugal is a customer, so there's at least one EU country where you'll find the software.

1
0
Anonymous Coward

Knowing people at Vodafone Portugal, that doesn't surprise me one bit.

It's probably used in Vofone Germsny too then.

0
0
Bronze badge
WTF?

Optimism

There are entirely too many "private" companies that want to friggin' OWN the state.

Mine's the one with the aluminum foil cap in the pocket.

1
0
Anonymous Coward

@Dave 120 - RIPA

I disagree. It could be argued that RIPA doesn't protect us from the State, since it seems to legitimise far too many activities. But anyway, it also defines the offence of 'unlawful interception', and that offence is not specific to the State - it applies to all.

0
0
Silver badge
FAIL

Just checked...

it isn't on my htc Sensation... But that is an unbranded version, so it could be either down to the carriers or it is a USA only thing.

Also, the idiot in the video doesn't seem to understand the difference between a packet sniffer (pulling data packets out of the network (wi-fi or ethernet)) and a USB-Debugging tool! If the phone was in Airplane Mode, there IS NO WAY that he could have sniffed the data, because the phone couldn't have sent any data!

Likewise the bozo complains about it giving the https address information from the browser, again, this is by design, it was in debug mode and gave out the URL to the debug stream, nothing sinister here... Now, if he had ACTUALLY sniffed the data packets and the data WAS being sent to Carrier IQ, that would be another matter entirely.

He just proved, that it was running and that it output gathered information over the USB port, when in Debug mode, which is what you would expect, but alas doesn't prove anything.

1
0
Vic
Silver badge

> it was in debug mode and gave out the URL to the debug stream, nothing sinister here.

It gave the URL - which should be protected in HTTPS - to the CarrierIQ app.

That is *very* sinister.

Vic.

0
0
Anonymous Coward

An(drew) Coward ?

Has he heard of the name change facility... if not for himself, for his children's sake ?

AC, as per the title.

1
1
Anonymous Coward

What??

?? the fuck are you on about??

4
0
Silver badge

The illustrious lineage of the Cowards deserves recognition, if only because of Nöel.

5
0
Mushroom

If this is proven true, then its very serious, not least because of the scale of it. If that is the case, its time for a massive class action to utterly destroy their company and send a clear warning to others. A line has to be drawn against companies behaving like this, because their kind are not going to stop pushing for ever more detailed spying without people standing up to them and saying no more. A limit has to be created somewhere!?!

36
0
Anonymous Coward

Re:

Don't stop at this small fish company when dozens of others are or will be doing the same thing.

It's the carriers and/or handset manufacturers who are buying this product that need to be slapped.

8
0

re: Asgard

Why I agree with your post, remember that someone paid this company to develop this app. It is the phone companies that need to be targeted in any class action and frankly they're too big to be properly punished.

It will be oops, our bad, some low level exec has been punished and everyone affected gets a free sms in compensation

1
0
Silver badge
Big Brother

@asgard

Given the list of companies that he sited who use it that could take down a fair bit of the phone industry. Still it would be worth it. Still, I am impressed that no one has mentioned big brother yet.

4
1
Anonymous Coward

'impressed that no one has mentioned big brother yet."

Sadly we've been under BB for a long time now, it's almost pathetic how impotent we are about it these days.

I recently went to sign up for a contract phone and I was handed a form to sign that simply had a box to tick and the words, "I hereby agree I have read the T&Cs.". I hadn't seen the T&C's not been offered them and I bet if I had asked the assistant would have commenced with lots of huffing and puffing while her potential sales commission targets wandered in and out of the shop, waiting for me to read the full T&C doc.

Just a small example of how we all being treated like mindless sheeple and expected to simply follow along and "not worry our fluffy little heads" about the nasty things like legal agreements. Just sign your life away, you'll never have to worry about it. If you decided to start causing trouble with the agreements we'll make it so damn difficult and expensive that your grandchildren will still be paying for your impudence in attempting to question your betters!

2
0

HTC Desire Z doesn't show it.

Just had a look through my running apps and it doesn't show this.

Anyone else see this?

1
8
FAIL

Lol you don't understand what a rootkit is do you. Due to the rootkit features you will not find this program in your list of running apps because it hides itself from the operating system (and hence you). It even pretty much says that in the article.

6
3
Anonymous Coward

Apart from if you read the internet for like five minutes you can work out how to find it and remove it.

0
1
Vic
Silver badge

> you will not find this program in your list of running apps

The video shows the program in the list of running apps...

> It even pretty much says that in the article.

It explicitly says the opposite in the video - and shows it, too.

Vic.

1
0

No the video says it does not show up in the running app, but it is listed in the installed apps, hence it being deserving of being called a rootkit.

Rewatch the video carefully

3
0
Vic
Silver badge
Thumb Down

> No the video says it does not show up in the running app

No, the video says it shows up as a running app. 5:08 to 5:45 or thereabouts.

> but it is listed in the installed apps

...But is *not* listed in the installed apps. 4:11 to 4:23.

> Rewatch the video carefully

Errr... likewise?

Vic.

1
0

Checked my DZ too, running stock HTC Gingerbread, no sign of it.

Maybe it's something HTC only dish out with Sense 3, or just to the US market?

0
0

XDA-Devs explanation

Having a look around at the wonderful XDA resource, I came across this which explains what it is, what it does and how to find if you have it. Search further and there are ways to remove it.

I certainly would not want this on my phone...

http://forum.xda-developers.com/showpost.php?p=11763089

2
0

From that article: "Carrier IQ is a software package buried deep within Android by Samsung at the behest of Sprint"

But the video shows HTC, so presumably they got the same "behest". Does this only apply to Sprint?

My friend's HTC Sensation on T-Mobile (UK) doesn't appear to be running the service nor contain the IQ libraries listed.

0
0
Anonymous Coward

Just checked for the running service on Samsung Galaxy S2 on 02 in the UK, and no sign of it. Still can't help wondering if there is an equivalent lurking on it o.0

0
0

UK Vodafone sensation

Not on the UK Vodafone branded Sensation according to Ekhart's tool.

0
0

Reading the XDA article, here's a scary sentence:

"through comparative groups down to diagnostic data from individual devices"

So any claim it's anonymous collection is utter ballcocks, that they can identity individual devices should put the Willy's up any self respecting privacy advocate!

0
0

This post has been deleted by a moderator

Still waiting for a FOSS smartphone

These ongoing security scandals with iOS and Android are exactly why we need a free-open-source smartphone OS. Or if true FOSS is too ambitious, then at minimum, something like Ubuntu.

I'd be quick to pick one up, once it's available. It's time!

7
3
Boffin

FOSS SmartPhone...

The Nokia N900 is (was) a FOSS smartphone. Sadly hard to get now, almost impossible to repair, but it might be worth it now...

1
0

Not all that hard to get... picked up mine 2nd hand from ebay 4 months ago for 130 quid and it's still working a treat :) A little scratched true but still a bargain since it works just fine :)

0
0
Anonymous Coward

Typical freetard, the security problems are with Android.

2
13
Anonymous Coward

FOSH&S

It's not really adhering to FOSS if it's got a untraceable hardware chip that logs keystrokes and sends them off bypassing the main OS.

What you need is FOSH&S

0
0

Read the article ffs! Nokia are using this software. Just because a device is FOSS doesn't prevent someone installing a rootkit or other malware.

The technical knowledge of Reg readers is slipping badly.

0
0
Anonymous Coward

FOSS?

If you're willing to spend a few years or decades? of your own time developing one without getting paid - ever - and detail all the hardware designs and implementations. Go ahead make one.

I'll wait till someone stupid/benevolent enough to do this and grab one for free (as in beer). Still probably prefer the Jesus phone for it's aesthetic design unless you're able to find a designer who's also willing to spend a few years of their time doing nothing but that.

Though be careful not to starve yourselves.

0
4
Anonymous Coward

@Dave Murray

Carrier IQ may sell a version for Nokia that some operators may install on the phones you get with a contract, but that is not the same as Nokia using it.

When I worked for them Nokia had something similar, but it didn't hide itself. Company employees (non developers) who signed up for their internal 'True Test' program (beta testing new phones and software) were somtimes asked to install the monitoring suite and it was sometimes included in beta releases of Symbian, but it didn't do key logging and you could always open the app and check to see if it was active or when it last sent any results back, and you could easily uninstall it. It monitored Apps running v power consuption as well as some statistics for the radios. It was never on production releases of phones.

I think it unlikely that they also had a sinister black helicopter version and actually mangaed to keep its secret. I'm fairly certain that if they tried they would have had loads of outraged devs on the internal message boards.

0
0
Silver badge
WTF?

I can see why this software exists

but not why it's installed and turned on.

If I've got an issue, then I'm happy for my phone to dump everything to a log to enable debugging - but I want a nice icon to indicate it's running, another one to turn it on and off, one to review what it wants to send and finally a 'send' button.

Article doesn't touch on it, but looking at the path, is this something HTC have put on every phone?

9
0
Vic
Silver badge

> is this something HTC have put on every phone?

Certainly not *every* phone; I've just checked my Desire, and it's not there.

But HTC are to be condemned for putting it on *any* phone. This sort of thing is decidedly unethical, and illegal in many jurisdictions (and I really hope they get caught in one).

Vic.

0
0
Silver badge
WTF?

Allergic to both rootkits and video, so

can you point me to where "conclusive proof that millions of smartphones" is shown (in text). Would that be the "stock EVO handset" bit, and then HTC or the wireless companies, or both, that will be going up the river? Just HTC phones or more than that?

Cripes, Murdoch just caught a break...

1
1

And who is paying for these data transmissions?

6
0
Pint

Any idea how much that info is worth to companies? Probably enough to buy yourself a small country somewhere south of the equator!

The phone company takes the hit on that data, you don't have worry about it. The phone company and IQ then split the dirty money between them by selling you and your info down the Swanee!

1
1

Cyanogenmod?

I wonder if my modded HTC has this rootkit on it.

0
0

@br0die

No it doesn't. And you can check the source to confirm ;-)

1
1
Happy

Thank you, yes I did my own research as well, and confirm that Cyanogenmod'ed phones are not affected

0
0

>“Why is my browser data being read, especially HTTPS on my Wi-Fi?”

Because HTTPS is between the two endpoints.. HTTPS is for sending data over untrusted networks, not for protecting data while it is still on the source or once its delivered to the receiver.

0
1
Silver badge

Sir

I think he may have been asking why, not how it was possible.

After all, not even Phorm tried to intercept https traffic at source afaik - something to do with it being obvious that it isn't to be read - a bit like 'private & confidential' stamped on an envelope.

2
0
Happy

I love this

Daniel, with the utmost respect, are you a software engineer perchance?

The question was why are they snooping on sessions that are intended to be, and thought to be secure., Never mind the privacy concerns, this is a gaping hole in the security structure.

It was not a question of how are they able to bypass HTTPS, for which you have provided a reasonable answer, in that they access it from the"safe"side, in the clear.

1
0

That explains the how, not the why. Which indeed is quite a interesting question.

0
0
Silver badge
Stop

gaping hole?

It isnt a gaping hole. I intercept SSL daily at work. Its called "man in the middle". All our employees are made aware and sign the AUP of the business. Our webfilter/firewall has truested CERTS and scans SSL before bridging back. This is fairly seamless to the end user and perfectly legal.

this is doing the same:

action -> carrier IQ -> SSL -> network.

what isnt explained is how carrierIQ -> network (plain text?) with SSL traffic. I guess carrierIQ dont know/care if it is SSL - it logs everything....

1
0
Unhappy

Erm, isn't it?

We're onto a wider question now, and although you trust your servers, they still have access to all my bank logins, and the entire session, should i choose to check an account whilst at work - and on a "line" that i thought secure from my PC to the bank server.

This gives you access to information that is beyond what I would consider reasonable for an employer. Many people use a work PC to check domestic things, well within the fair use requirements, and with an assumption of trust.

Your firm's approach greatly increases the circle of trust, unnecessarily, which I would call a "hole".

This makes your systems a richer target for criminal infiltration, knowing there are any number of instant man-in-the-middle attacks available. Or, alternatively, a configurable scrape of HTTPS sessions with passwords etc.

Would it not be impossible to exempt HTTPS sessions to a certain whitelist of addresses? -and even if so, it wouldn't protect me from a corrupt instance of "you", would it?

4
1

This is pretty normal for malware checking firewalls. If you have to check your banking account during working hours, why not use your smartphone?

0
1

Page:

This topic is closed for new posts.

Forums

Biting the hand that feeds IT © 1998–2017