A hidden application found on millions of smartphones can log almost everything a user does, claims a US security researcher.
Trevor Eckhart unearthed the Carrier IQ application that runs largely unseen on Android, Nokia and Blackberry handsets.Mr Eckhart said the software could log locations, websites visited, key presses and many other parameters.
Carrier IQ denied its code was spying. It threatened Mr Eckhart with legal action but later backed down.
Advanced skills Mr Eckhart said he found Carrier IQ via work he had done on a security program, called Logging Test, which spotted which apps were running on an Android phone.
His analysis revealed that Carrier IQ could be set up to record almost anything and everything done on a smartphone.
The code has been found on Nokia, Blackberry and Android smartphones and tablets. A cut down version has also been seen running on some Apple phones.
In response, Carrier IQ defended its software, saying it was not spying on users.
It said the code was used by mobile operators as a diagnostic tool to spot what was causing calls to drop, texts to go astray and battery power to be drained.
Mr Eckhart claimed Carrier IQ was buried deep in the core code for a smartphone to prevent it being found and, on some phones, was customised to prevent users changing what it logged. In some cases, he said, only those with "advanced skills" would be able to find it.
He put a video on YouTube which showed Carrier IQ logging button presses, search queries and locations. Much of the data had been grabbed without consent, he said.
Fair use The expose led Carrier IQ to start legal action against Mr Eckhart in the form of a "cease and desist" letter which demanded the removal of its training manuals and product information from his website.
This led to the intervention of digital rights group the Electronic Frontier Foundation (EFF) which agreed to represent Mr Eckhart in the legal spat.
In its response, the EFF said: "We have now had a chance to review your allegations against our client, and have concluded that they are entirely baseless."
It said Mr Eckhart's work was "sheltered by both the fair use doctrine and the First Amendment".
Soon after, Carrier IQ withdrew its legal action and said it was "deeply sorry for any concern or trouble" it had caused.
"We sincerely appreciate and respect EFF's work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world," it said in a statement.
It reiterated that its software was used for diagnosis and disputed Mr Eckhart's claim that it had logged keystrokes and had tracked where people went.
It said it looked forward to a "healthy and robust" discussion with EFF and Mr Eckhart about its software and the uses to which it had been put.
Senate hearing The news is the latest in a series of reports by security researchers flagging up different smartphone applications that keep an eye on users.
In April, Alasdair Allan and Pete Warden found that Apple iPhones and tablets running iOS4 regularly recorded a phone's location.
Apple denied it was tracking users and said the data was uploaded to phones to help locate nearby wi-fi and cell phone towers.
In addition, Google played down claims that phones running its Android system were logging locations. It said it gave people a clear choice about whether the information should be gathered.
Both firms were summoned to appear before the US Senate to explain their actions.
No comments:
Post a Comment