Security researcher responds to CarrierIQ with video proof | Mobile …
It’s been almost a month since security researcher Trevor Eckhart approached me with a very complicated question. He had stumbled across what seemed like evidence that data was being recorded from his phone and sent to a company that was neither his carrier, Sprint, or his hardware manufacturer, HTC. It was a significant volume of information, and took Eckhart some time to sift though to find out what was actually going on. What made the situation worse was that, despite being on an “open” Android phone, it seemed like access to the information was as hidden as physically possible in the OS.
Interestingly, shortly after the first story, Mr. Eckhart was sent a cease and desist letter by CarrierIQ for publishing false information about them. A short trip to the EFF and the legal document was retracted by CarrierIQ and an apology was given to Eckhart. Still, the CarrierIQ team felt that some of the information Eckhart published was incomplete or incorrect, and were concerned that people might get the wrong idea about what it is they do. So, in the spirit of making sure everyone was aware of exactly what he had uncovered, and ensuring there was no further space for misunderstanding, Eckhart published a video earlier today with his findings.
Eckhart put together a video of him turning on an HTC Evo3D with a completely stock (provided by HTC) ROM. He demonstrates that nowhere in the startup does any mention of CarrierIQ. There’s nothing indicating that this software exists on the phone. When the applications are discovered, the ability to shut the apps down the same way you would any other app in Android has been circumvented. So, you now have a series of applications that you have to be extremely knowledgeable to find, and when you do find them they cannot be turned off. This is demonstrated in the first five minutes of the video, and these steps can be easily re-created if you have access to LogCat on your computer.
When you receive a text, the video demonstrates that the CarrierIQ software is aware of the text message and its contents before the phone notifies you that you have a message. CarrierIQ and Sprint both were adamant that the body of an SMS was not recorded, and yet we can clearly see in the video that the text contents are read and transmitted via the CarrierIQ applications. In an attempt to clear this matter up, I reached out to CarrierIQ again, who refused to comment and noted that they “are looking forwarding to our meeting with EFF this week and will continue to keep you updated.”
The video also demonstrates how this software records the keys that are pressed in the dialer, before a call is even made. Anytime you press a key in the dialer app, even if you just press random numbers and then close the application, that information is logged by CarrierIQ. If you place a call, that information is recorded as well, along with network strength values. This way if anything happens that would interrupt the call, your carrier can see why it happened and fix it. There’s a real benefit to the CarrierIQ software, but it is clear that far more is being recorded than is necessary.
One could assert that as long as the information is traveling across their mobile network, Sprint has access to it regardless (on the network side) so what does it matter? The next part of Eckhart’s video involved browsing over WiFi. When you access a website using the secure protocol HTTPS, there’s supposed to be a security authentication “handshake” that happens before anybody but you and the recipient has access to the information you are transmitting. Eckhart demonstrates that this software is recording the entire string, security information, URL and all. This is happening on a personal wireless network, not involving Sprint in any way, so who needs this information and what for?
It’s not just WiFi use that concerns me. If you purchase a phone outright, or through a third party, and the phone is never connected to a mobile network, what business does that company have to your information? Why is this service not an opt-in, or something that can be turned off with an authorization code from Sprint?
This video has demonstrated a truly significant volume of information is being recorded. Passwords over HTTPS, the contents of your text messages, and plenty more are recorded and sent to the customers of CarrierIQ. A significant part of what was demonstrated is not included in any privacy agreement, and some of it was a direct contradiction of the statements that were made by these companies. It looks like we’re being lied to, our information is being recorded, and there is nothing we can do about it.
More at Android Security Test
The rest is here: Security researcher responds to CarrierIQ with video proof | Mobile …