November 30, 2011
Malware? Who Needs Malware? - Updated at bottom of post and another Update too.
Many people are tweeting the story in The Register today. The app in question is on many Android devices including HTC units, also Blackberry and Nokia phones.
BUSTED! Secret app on millions of phones logs key taps
I went and found the youtube vid for those who are geekily inclined.
Many people will see this and say it's overly paranoid. But the app is recording everything. Stop and think about that for just one minute. Ponder exactly what that means. Every keystroke, all your locations, everything all in one tidy log package. How convenient.
Go now and read the whole thing, it's one page, I'll wait til you get back.
Carrier IQ is making the point that the data is being used for diagnostics. Since phones crash using any of the included software as well as during calls, it would make sense to have a log of information including what happened prior to any type of crash be it browser based, messaging based, phone based, or app based.
BUT once information gathering starts, bad things can and do happen.
Let me repeat, in case I wasn't clear enough earlier... the problem is, they are recording everything, all keystrokes... private data like usernames and passwords, banking information if you bank via your phone, emails you type out and send, sms messages you send, wifi information including SSIDs of other wifi's nearby, your location at any given time, etc, etc, etc.
This is wrong on so many levels it's enough to leave one gasping at the extent of the over reach in data gathering.
And then your private data can be included in the snippets sent back without your knowledge when carriers are trying to find a problem. That's a best case scenario.
If that's not enough to worry about how about these major items of concern:
1. This information is being stored in a log file that is not encrypted. This log file can be accessed, copied, and transmitted by other malicious apps.
2. It's not clear to me if you do a copy/paste from a password safe (such as Last Pass) whether the usernames/passwords would be recorded since they would not be actual keystrokes. Then again how many people actually use a password safe type of app? Not many, sadly.
3. This certainly violates many laws such as HIPAA among others which means companies that fall under these regulations have to figure out fast how to deal with this.
So far we don't know that any data has been compromised because of this, but now that the information has been released, you know there will be many a data thief looking for ways to exploit this huge security flaw.
Why oh why is it so hard for people to get it through their thick skulls that collecting private data is NOT a good thing without careful thought as to how it's done and how it's protected. How many times does this have to happen?
Carrier IQ and any companies using this service, stop looking so dumbfounded. It's sheer idiocy to be using this type of logging and you should already know that.
Ah the joys of being connected in an internet world.
PS - it wasn't too long ago there was an utter meltdown in the world because Apple was collecting location data (only location data) on the phone itself. If the response to this app is at all in proportion it should cause the world to stop revolving and then explode.
UPDATE: Sheri posted a link to a Naked Security Blog post about this issue in her comment. I thought it should be added to the end of the main post. Also, in that blog post they reference another post about Carrier IQ traces in Apple's iOS devices but it appears to be a true diagnostic feature in Apple
***
UPDATE 2: Dan Rosenberg, a security researcher who specializes on Android type devices, has written his own post to dispute some of the claims made by the original story.
It appears to be HTC who is the culprit behind the major overkill of information being gathered in the video, not CarrierIQ. I was never all that disturbed by the general information being gathered such as phone numbers dialed, location, that kind of thing. First because the carrier already has access to that info and second, you can't debug a problem without information.
The part I find disturbing is the very verbose collection of keystroke data that is kept in a log on the device. If the device is lost or stolen, that log would be available to whoever ends up with the device in hand. Or a malicious app could grab the log file and send it to a remote server over the airwaves without the user even know it. So until HTC changes the type of data it is collecting in the background - I can't say they can be trusted to provide any devices I would want to use as my own phone.
BUSTED! Secret app on millions of phones logs key taps
An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users.
I went and found the youtube vid for those who are geekily inclined.
Many people will see this and say it's overly paranoid. But the app is recording everything. Stop and think about that for just one minute. Ponder exactly what that means. Every keystroke, all your locations, everything all in one tidy log package. How convenient.
Go now and read the whole thing, it's one page, I'll wait til you get back.
Carrier IQ is making the point that the data is being used for diagnostics. Since phones crash using any of the included software as well as during calls, it would make sense to have a log of information including what happened prior to any type of crash be it browser based, messaging based, phone based, or app based.
BUT once information gathering starts, bad things can and do happen.
Let me repeat, in case I wasn't clear enough earlier... the problem is, they are recording everything, all keystrokes... private data like usernames and passwords, banking information if you bank via your phone, emails you type out and send, sms messages you send, wifi information including SSIDs of other wifi's nearby, your location at any given time, etc, etc, etc.
This is wrong on so many levels it's enough to leave one gasping at the extent of the over reach in data gathering.
And then your private data can be included in the snippets sent back without your knowledge when carriers are trying to find a problem. That's a best case scenario.
If that's not enough to worry about how about these major items of concern:
1. This information is being stored in a log file that is not encrypted. This log file can be accessed, copied, and transmitted by other malicious apps.
2. It's not clear to me if you do a copy/paste from a password safe (such as Last Pass) whether the usernames/passwords would be recorded since they would not be actual keystrokes. Then again how many people actually use a password safe type of app? Not many, sadly.
3. This certainly violates many laws such as HIPAA among others which means companies that fall under these regulations have to figure out fast how to deal with this.
So far we don't know that any data has been compromised because of this, but now that the information has been released, you know there will be many a data thief looking for ways to exploit this huge security flaw.
Why oh why is it so hard for people to get it through their thick skulls that collecting private data is NOT a good thing without careful thought as to how it's done and how it's protected. How many times does this have to happen?
Carrier IQ and any companies using this service, stop looking so dumbfounded. It's sheer idiocy to be using this type of logging and you should already know that.
Ah the joys of being connected in an internet world.
PS - it wasn't too long ago there was an utter meltdown in the world because Apple was collecting location data (only location data) on the phone itself. If the response to this app is at all in proportion it should cause the world to stop revolving and then explode.
UPDATE: Sheri posted a link to a Naked Security Blog post about this issue in her comment. I thought it should be added to the end of the main post. Also, in that blog post they reference another post about Carrier IQ traces in Apple's iOS devices but it appears to be a true diagnostic feature in Apple
However, the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default. Finally, the local logs on iOS seem to store much less information than what has been seen on Android, limited to some call activity and location (if enabled), but not any text from the web browser, SMS, or anywhere else.
***
UPDATE 2: Dan Rosenberg, a security researcher who specializes on Android type devices, has written his own post to dispute some of the claims made by the original story.
It appears to be HTC who is the culprit behind the major overkill of information being gathered in the video, not CarrierIQ. I was never all that disturbed by the general information being gathered such as phone numbers dialed, location, that kind of thing. First because the carrier already has access to that info and second, you can't debug a problem without information.
The part I find disturbing is the very verbose collection of keystroke data that is kept in a log on the device. If the device is lost or stolen, that log would be available to whoever ends up with the device in hand. Or a malicious app could grab the log file and send it to a remote server over the airwaves without the user even know it. So until HTC changes the type of data it is collecting in the background - I can't say they can be trusted to provide any devices I would want to use as my own phone.
Posted by: Teresa in
WebTech
at
02:44 PM
| Comments (8)
| Add Comment
Post contains 950 words, total size 7 kb.
1
Every damned time I even go out to a B&M store they want to type in all kinds of info from me, my card, etc. and every damned time I ask them how safely they are going to "store" it and "where" and can they guarantee my data will never be accessed by anyone, ever, and mis-used or even "just misplaced." And when they act like it's a given that it's all safe, I tell them it's not and watch the blood drain from their stupid faces. No, it's not doing any good, but it's my little way of spreading what you were saying ("Why oh why is it so hard for people to get it through their thick skulls
that collecting private data is NOT a good thing without careful
thought as to how it's done and how it's protected. How many times does
this have to happen? ")
Posted by: sheri at November 30, 2011 03:22 PM (7FREh)
2
Sheri I bet they never get any push back from people and they think you're just nuts. heh.
Posted by: Teresa at November 30, 2011 03:46 PM (jxg4K)
3
So true. They always act like I'm the first person to EVER even bring it up. AND WHY WOULD I EVEN THINK ABOUT SOMETHING LIKE THAT. Gah. You and I are the only two in the country, I guess. We must keep being "crazy." I don't care. Honey badger, he don't care either. He just doesn't want his personal info sitting on a tarmac in a cardboard box in the rain, or on some cheap-ass hard drive in a stockroom in back of Radio Shack. My list of the all-time Top 3 Nosy-And-Unsecured-Storage-And-Use of Your Data By Idiot Retailers, FYI: Radio Shack, Circuit City (Home of the Longest Receipt On Earth; buh-bye!), and any retailer who "needs your phone number to look up your order and no we never do anything with it."
Sorry for the rant.
Oh and I found more/same on the topic of your post here:
Sorry for the rant.
Oh and I found more/same on the topic of your post here:
Posted by: sheri at December 01, 2011 08:16 AM (7FREh)
4
Re: your update. I guess I feel "better." Heh. Unless "diagnostic tool" is the new euphemism for "keylogger."
Posted by: sheri at December 02, 2011 05:39 PM (7FREh)
5
LOL no you can find it in Settings --> Location Services (scroll allll the way down to the bottom) --> System Services "Diagnostics and Usage" should be off. If it's not, turn it off and "reboot" the phone.
Posted by: Teresa at December 02, 2011 06:02 PM (jxg4K)
6
And yet when I tell people I don't own a smartphone, they look at me like I'm crazy.
Posted by: Harvey at December 02, 2011 07:37 PM (Ha/T5)
7
Oh T, no no no I wasn't asking where to find it. I know all that. I was making a joke. Guess it came off as a question. Heh.
Posted by: sheri at December 03, 2011 09:12 AM (7FREh)
8
Sheri - LOL I think I've been working too hard... I should know you'd know that. 
Harvey I like my smartphone (love it actually - if I wasn't married...), but I also like to know what might be an issue and be able to take that into account.
Harvey I like my smartphone (love it actually - if I wasn't married...), but I also like to know what might be an issue and be able to take that into account.
Posted by: Teresa at December 03, 2011 11:40 AM (jxg4K)
30kb generated in 0.0613 seconds; 71 queries returned 210 records.
Powered by Minx 1.1.4-pink.
Powered by Minx 1.1.4-pink.
