Slog
News & ArtsWednesday, November 30, 2011
Tech Your Android Phone Is Probably Tracking Everything You Do
Posted by Paul Constant on Wed, Nov 30, 2011 at 2:04 PM
The sad truth nowadays is that if you own a piece of technology, you should probably just automatically assume that it's storing everything you do. Gizmodo says:
If you have any decently modern Android phone, everything you do is being recorded by hidden software lurking inside. It even circumvents web encryption and grabs everything—including your passwords and Google queries.
Worse: it's the handset manufacturers and the carriers who—in the name of "making your user experience better"—install this software without any way for you to opt-out.
The very long video proving the existence of this hidden recording software can be found after the jump.
1
My theory is that I wouldn't do anything behind my Android's back that I wouldn't do in front of it, so feel free to spy at will.
Oh, wait. That's my approach to anyone who snoops in my computer history or reads my text messages.
Applies to both, I guess.
Oh, wait. That's my approach to anyone who snoops in my computer history or reads my text messages.
Applies to both, I guess.
3
The most disturbing part of this is that it actually records keystrokes, even on secure (https) pages.
5
Hackers in Australia have known about this for months.
By the way, your xBox360 motion capture box is using facial and voice recognition to feed the Homeland Insecurity and CIA information about who is in the room, and can be turned on for surveillance remotely using certain chipset activation codes you're not supposed to know about.
Enjoy Big Brother!
(suckers)
By the way, your xBox360 motion capture box is using facial and voice recognition to feed the Homeland Insecurity and CIA information about who is in the room, and can be turned on for surveillance remotely using certain chipset activation codes you're not supposed to know about.
Enjoy Big Brother!
(suckers)
7
Isn't this something over which tech companies should be up in arms? If you can access your work email on your phone (or, like many, are required by your job to have a phone with that has such capability), that means your phone is probably recording sensitive information that your company wouldn't want exposed to the general public, right?
8
I know when GPS is enabled, my phones charge doesnt last over night and the alarm doesnt wake me up. When its turned off, im not late for work.
@5 Xbox Kintec spying on you.
If the Kintec was broadcasting things to the CIA, users would have found it within weeks of its release. Its not that hard to detect when a device phones home. Packet analyzers like Wire Shark tend to make it easy.
FYI: The people who originally created this technology, shopped it to Apple first, but Apple wanted all sorts of secrecy involved, asked them to sign NDAs BEFORE they considered buying it. They refused, went straight to Microsoft, which bought it immediately.
@5 Xbox Kintec spying on you.
If the Kintec was broadcasting things to the CIA, users would have found it within weeks of its release. Its not that hard to detect when a device phones home. Packet analyzers like Wire Shark tend to make it easy.
FYI: The people who originally created this technology, shopped it to Apple first, but Apple wanted all sorts of secrecy involved, asked them to sign NDAs BEFORE they considered buying it. They refused, went straight to Microsoft, which bought it immediately.
9
I followed the video and then looked for either running service (or similar) on either of the two Android phones I have here, neither an HTC, different OS versions, and I just don't see it running on either. I hope that somebody smart has done a smell test on the claims made here. He doesn't claim that all Android phones run this, but he does say most do, and I'm 0 for 2.
10
I still don't understand these two countervailing memes.
People overshare the minute details of their lives on Facebook, Twitter, comments in blogs and other social media.
They then rail about privacy when it's "revealed" that they can be tracked by cell phone.
And there are plenty of apps like Foursquare where people report their position willingly.
I don't get it. Do you want us to care...or not.
11
OH GOD SOFTWARE CAN SEE WHAT KEYS I PRESS EVEN ON AN HTTPS PAGE HOLY GOD HOLY GOD. Listen up, dipshits. Your keystrokes are not supposed to be encrypted, even if you're looking at an HTTPS page. And the fact that some application has registered for keystroke callbacks is not "proof of hidden recording software." What this idiot should be doing if he suspects this program of doing something nasty is rooting his device and connecting a real debugger to the process so he can see whether it's writing data to a file or the network somewhere. What he should not be doing is spending 17 fucking minutes dramatically revealing that HTTPS does not encrypt your keyboard. (!!!)
13
@11 - so wait - he doesn't even confirm that the data is being uploaded? What his his fucking point, then?
14
@13 Apparently, he's discovered that OSes use a BIOS to interface with their hardware. Welcome to 1976, boy genius.
16
@13
His point is that there's a daemon running at all times, that can't be removed or even turned off, that captures this stuff.
The daemon might only transmit data off the handset when the prospective recipient tells it to; this would make sense if it were meant to be used for customer support. Or for law enforcement.
@14
I don't think you understood what you watched. He uses the debugger to show that OS events (not BIOS events, as you should have realized from the virtual keypad segment) are being dispatched to a resident process, in this instance named 'IQRD', presumably installed by the handset manufacturer for the carrier. This resident process is not part of the base OS.
His point is that there's a daemon running at all times, that can't be removed or even turned off, that captures this stuff.
The daemon might only transmit data off the handset when the prospective recipient tells it to; this would make sense if it were meant to be used for customer support. Or for law enforcement.
@14
I don't think you understood what you watched. He uses the debugger to show that OS events (not BIOS events, as you should have realized from the virtual keypad segment) are being dispatched to a resident process, in this instance named 'IQRD', presumably installed by the handset manufacturer for the carrier. This resident process is not part of the base OS.
17
You can root the phone to fix it, so if you're a nerd you don't have much to worry about, if you don't understand technology you have everything to worry about.
18
@15
Bear in mind that the information isn't transferred off of the handset, and there's no evidence that it's being stored on the handset either, contrary to Paul Constant's breathless summary (the debugger in the video shows events being dispatched to IQRD; there is no evidence presented that IQRD is then storing those events in a log file somewhere).
With that understood, which part of HIPPA do you think is being violated, or potentially violated?
Bear in mind that the information isn't transferred off of the handset, and there's no evidence that it's being stored on the handset either, contrary to Paul Constant's breathless summary (the debugger in the video shows events being dispatched to IQRD; there is no evidence presented that IQRD is then storing those events in a log file somewhere).
With that understood, which part of HIPPA do you think is being violated, or potentially violated?
19
@17
Not all phones can be rooted, and not all rooted phones will stay rooted. There are lots of ways for a carrier or manufacturer to "restore" various kinds of rooted phones, and they generally won't give you a nice polite advance warning before doing so.
You could buy one of the official Google handsets, I suppose, for the full unlocked price. But there's no reason Google can't decide to add something like this to the base OS. Or to "restore" your rooted device, for that matter.
Not all phones can be rooted, and not all rooted phones will stay rooted. There are lots of ways for a carrier or manufacturer to "restore" various kinds of rooted phones, and they generally won't give you a nice polite advance warning before doing so.
You could buy one of the official Google handsets, I suppose, for the full unlocked price. But there's no reason Google can't decide to add something like this to the base OS. Or to "restore" your rooted device, for that matter.
20
FWIW, there's a predictably anodyne press statement (pdf) from Carrier IQ saying their tools are merely "counting and measuring operational information."
Also predictably, not a word in there about why you can't remove these metrics tools, or even turn them off.
Also predictably, not a word in there about why you can't remove these metrics tools, or even turn them off.
21
@4, while they undoubtedly make a client for BlackBerrys, so far there is no evidence that any carrier is actually using it.
22
You can follow the entire thread from the developer who discovered the Carrier-IQ rootkit by working backwards from this blog post:
http://www.xda-developers.com/android/th…
http://www.xda-developers.com/android/th…
Advertisement
Most Commented on Slog
-
Portland Voters Are Stoopid by Goldy
-
An I-5 Bridge Over the Skagit River Has Collapsed by Paul Constant
-
Why They Break Windows by Unpaid Intern
-
Usually When I'm Sent a Photoshopped Image of a Gun Pointed At Me... by Dan Savage
-
Did You Steal Our Unpaid Intern's Camera? by Goldy
-
The Only Thing More Tragic than a Bridge Collapse Would Be a 10 Cent a Gallon Increase in the Gas Tax by Goldy
-
Tornado Truthers by Dan Savage
-
Star Trek Releases Deleted Scene of Benedict Cumberbatch Showering to Counter Claims of Sexism by Cienna Madrid
-
Boy Scouts Lift Ban on Gay Members by Paul Constant
-
SL Letter of the Day: Not A Prude... And Not Just Not That... by Dan Savage
Stranger Personals
The Stranger
RSSSeattle Art & Performance Quarterly
A complete guide to Seattle's current art, film, dance, and theater season.
Facebook
Twitter
Comments (23) RSS