Source: The Register
Dan Goodin
Ironically, he says, the Carrier IQ software recorded the “hello world” dispatch even before it was displayed on his handset.
Dan Goodin
An Android app developer has published what he says is conclusive
proof that millions of smartphones are secretly monitoring the key
presses, geographic locations, and received messages of its users.
In a YouTube video posted on Monday, Trevor Eckhart showed how
software from a Silicon Valley company known as Carrier IQ recorded in
real time the keys he pressed into a stock EVO handset, which he had
reset to factory settings just prior to the demonstration. Using a
packet sniffer while his device was in airplane mode, he demonstrated
how each numeric tap and every received text message is logged by the
software.
Eckhart then connected the device to a Wi-Fi network and pointed his
browser at Google. Even though he denied the search giant's request that
he share his physical location, the Carrier IQ software recorded it.
The secret app then recorded the precise input of his search query –
again, “hello world” – even though he typed it into a page that uses the
SSL, or secure sockets layer, protocol to encrypt data sent between the
device and the servers.
“We can see that Carrier IQ is querying these strings over my
wireless network [with] no 3G connectivity and it is reading HTTPS,” the
25-year-old Eckhart says.
The video was posted four days after Carrier IQ withdrew legal threats against Eckhart
for calling its software a “rootkit.” The Connecticut-based programmer
said the characterization is accurate because the software is designed
to obscure its presence by bypassing typical operating-system functions.
In an interview last week, Carrier IQ VP of Marketing Andrew Coward
rejected claims the software posed a privacy threat because it never
captured key presses.
“Our technology is not real time,” he said at the time. "It's not
constantly reporting back. It's gathering information up and is usually
transmitted in small doses.”
Coward went on to say that Carrier IQ was a diagnostic tool designed
to give network carriers and device manufacturers detailed information
about the causes of dropped calls and other performance issues.
Eckhart said he chose the HTC phone purely for demonstration
purposes. Blackberrys, other Android-powered handsets, and smartphones
from Nokia contain the same snooping software, he claims.
The 17-minute video concluded with questions, including: “Why does
SMSNotify get called and show to be dispatching text messages to
[Carrier IQ]?” and “Why is my browser data being read, especially HTTPS
on my Wi-Fi?”
