Less Obvious Threat of Hidden SoftwareSoftware Records Keystrokes on Smartphones
In a world where employees demand that they can access corporate networks via their mobile devices, news that software embedded in millions of Android smartphones can record every keystroke users make is troubling. What's really scary, beyond the obvious, is the risk this hidden software poses to organizations trying to protect the security of their data and the privacy of their employees.
Trevor Eckhart is a systems administrator, who posted this past week a video on YouTube (see below) that he says shows an application from Carrier IQ that records every key he pressed on his own HTC Android phone.
The clear implication of the video is that the software could reveal usernames, passwords and other confidential information entered by the user, as well as their physical locations, information that could place individual privacy and secret corporate data at jeopardy.
That unnerved Sen. Al Franken, the Minnesota Democrat who chairs the Judiciary Subcommittee on Privacy, Technology and the Law, who took to the Senate floor Thursday demanding answers from Carrier IQ about the technology:
"The revelation that the locations and other sensitive data of millions of Americans are being secretly recorded and possibly transmitted is deeply troubling. This news underscores the need for Congress to act swiftly to protect the location information and private, sensitive information of consumers. But right now, Carrier IQ has a lot of questions to answer."
Carrier IQ denies that it's tracking individuals or saving data from its software. In a statement, Carrier IQ said:
"While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video."
Carrier IQ maintains the software is used for debugging problems with mobile devices. Some of the largest American wireless carriers - AT&T, Sprint and T-Mobile - use Carrier IQ's software to help them improve their service.
Dan Rosenberg, a senior consultant at Virtual Security Research, is no fan of Carrier IQ, but agrees that there's a big difference between recording events like keystrokes and HTTPS URLs to a debugging buffer and collecting, storing and transmitting data to carriers. In an online post, Rosenberg wrote:
"After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data. There's a big difference between 'look, it does something when I press a key' and 'it's sending all my keystrokes to the carrier!' Based on what I've seen, there is no code in CarrierIQ that actually records keystrokes for data collection purposes.
"Of course, the fact that there are hooks in these events suggests that future versions may abuse this type of functionality, and CIQ should be held accountable and be under close scrutiny so that this type of privacy invasion does not occur. But all the recent noise on this is mostly unfounded."
What the Carrier IQ incident reveals is that even among the smartest people in IT organizations, not everything is known about the technology of the devices used to access sensitive data, and that makes assessing risk all the more difficult. That is troubling news.