After American
service providers voluntarily installed key logging software on their handsets, are you sure your handset is
safe?
The consquences could be truly terrifying.
A pre-installed feature found on the majority of US handsets is to be
investigated by the FBI, after it was shown to have the power to track
keystrokes, SMS messages, browser activity, and more.
The
Carrier IQ controversy has spawned a mini industry of detection and removal
tools
Security blogger Trevor Eckhart, who
identified Carrier IQ, the name of this shady feature, demonstrated that, on
some handsets, it runs invisibly and can’t be turned off. Removing the software
is a complex process requiring IT savvy and administrative access to the phone’s
operating system.
The whistle-blower, a systems administrator
from Torrington, Connecticut, tested his research out on HTC handsets running
Android, although Carrier IQ also comes in Blackberry, Nokia and iPhone
handsets. The company provides software to companies worldwide, but so far
there is no evidence that UK providers are also installing Carrier IQ on their
customers’ phones. Using data gleaned from training documents that were freely
available online, Eckhart was able to determine that the software recorded
users’ key presses, logged when calls are placed and kept data about many more
events – including location changes and application installation. Any of these
metrics could then be accessed from a device using a remote portal, by a
designated administrator.
Cease and desist
“Portal operators can view and task metrics
by equipment ID, subscriber ID, and more,” wrote Eckhart on his android
Security Test blog (www.androidsecuritytest.com).
“They now know ‘Joe Anyone’s’ location at any given time, what he is running on
his device, keys being pressed, applications being used.”
Carrier IQ responded to Eckhart’s
investigation swiftly. The company issued a cease desist letter, quoting
copyright law and demanding the removal of his research from the web. Bad move.
Rather than quashing the site, the page went viral on Twitter, YouTube and
Facebook, catching the attention of dogged internet privacy advocates, the
Electronic Frontier Foundation.
Famous for scrapping with big companies who
try to stop free speech online, the EFF’s lawyer emailed a robust and
comprehensive rebuttal to Carrier IQ’s letter.
Now, caught up in an online whirlwind of
attack and counterattack. Carrier IQ’s practicesare to be scrutinized by
federal investigators, Apple has vowed to drop the software from iOS 5 and big
US telecoms carrier Sprint has disabled it across its network.
But is all this just a storm in a Styrofoam
cup of stale java? Much of Eckhart’s speculation is about what Carrier IQ could
be used for – not what it is actually used for. Carrier IQ insists the metric
measuring software is there to catch bugs, improve battery life and identify
problematic apps.is it really any different to other crash report tools?
Speculation
Some security experts agree that Carrier IQ
has had some unfair coverage. Catalin Cosoi, global research director at
security software developer Bitdefender, suggests the media response to
Eckhart’s original research has been disproportionate. “Although the initial
documentation on the issue was technically correct, there has been a tremendous
amount of speculation coming from the media,” Cosoi said. “If carriers comply
with the fundamental rules of storing private information, chances are that the
user will not be affected.”
Still, Bitdefender is one of several
companies to respond with a detection tool – Carrier IQ Finder is an app that
can be used to uncover the event logger on Android phones. It could be a wise
precaution for US mobile users to find out whether Carrier IQ is enabled on
their devices, because it’s not just service providers they need to worry
about.
Armstrong
says, “I’ve never seen an application that didn’t have a flaw.”
Kaspersky malware analyst Tim Armstrong
underlined what we immediately thought on reading the list of metrics that
Carrier IQ records. “It is possible that this software can be attacked,” says
Armstrong, “I’ve never seen an application that didn’t have a flaw.”
With access to live usage metrics available
through a remote portal, it’s easy to see why – in Catalin Cosoi’s estimation –
some media outlets have sensationalized the incident. Armstrong went on to
suggest another cogent and compelling reason that security bloggers have seized
on the story.
“The software simply can’t be removed by
the average user,” Armstrong points out, “Even if a person roots or jailbreaks
their phone to remove the software, there have been reports that this breaks
functionality, or even softbricks or temporarily renders the phone inoperable.”
It’s becoming standard industry practice
for hardware and software developers to enable their offspring to ‘phone home’
when things go wrong. Importantly, end users are able to opt out of this
process. If Carrier IQ is allowed to bypass user wishes, then the basic ethics
of online privacy change. A precedent is set that could affect us all.
Mobile malware
One of Trevor Eckhart’s key assertions
about Carrier IQ – an assertion that the company specifically asked him to
retract – was that it behaves like a rootkit. It runs at boot, hides its
presence and phones home, without notifying users that it’s doing so. Carrier
IQ is one of the good guys, but – alleges Eckhart – it behaves in a similar way
to malware. This comes at a time when mobile viruses are moving from myth to
mainstream. In March 2011, Google removed 21 applications from Google Play that
looked benign, but were used as wrappers for a malicious payload dubbed
DroidDream. The app, which was able to break out of Android’s sandbox and run
as root, was particularly insidious, but not the first on the platform.
At
first, commentators blamed Android’s open system but, though still top of the
mobile virus league, it isn’t the only OS affected.
Trend Micro reported the first sighting of
malware targeting BlackBerry handsets in April 2011. Zitmo is a variant of a
Trojan previously confined to Symbian devices. Even Apple has had to respond to
the rival threat to iOS. Charlie Miller, an iOS security researcher, developed
and submitted an app that exploited a flaw in the operating system which
allowed it to install additional, potentially malicious code once ensconced on
your iPhone. The accepted app was proof that even Apple’s walled garden isn’t
immune to the dangers of malicious code.
Open question
The Carrier IQ problem is not so much that
data is being transmitted, but that handset owners didn’t know. The company
points out that its operations stay on the right side of the law, and it “does
not record, store or transmit the contents of SMS messages, email, photographs,
audio or video”. Had this been public knowledge, the outcry at its discovery
would have been averted.
What
other hidden software is pre-installed on mobile devices? If nothing else,
non-essential programs running in the background use resources – one reason why
people root phones and tablets.
This leads us to the question: what other
hidden software is pre-installed on mobile devices? If nothing else,
non-essential programs running in the background use resources – one reason why
people root phones and tablets.
Although the OS is open source, Android
phones are supplied with pre-installed software just like iOS devices. Is a
truly open smartphone possible – one that offers the freedom of a rooted
handset by design, with documentation and support?
This could be the perfect chance for
projects such as Openmoko to make their mark. Openmoko aims to create a family
of fully customizable phones. It no longer makes the handsets itself, but its
Neo 1973 and Freerunner phones can be fine-tuned right down to the drivers. As
Openmoko itself says, users can “change the wallpaper or rebuild the entire
house”. If transparency is the latest killer app, we could be seeing a lot more
projects like this in future.
5 mobile security apps
·
Mcafee MOBILE SECURITY
McAfee has made the move to Android and
$29.99 protects you from malware.
·
Avast Mobile Security
A free app that not only offers malware
protection but anti-theft options too
·
Avg Antivirus Free
A less comprehensive solution that lets you
scan apps to check they’re safe.
·
Bitdefender Mobile Security & Antivirus
Lets you do an audit, to check none of your
apps are misbehaving.
·
Kaspersky Mobile Security Lite
Lets you block calls and texts as well as
basic malware blocking features
