Pierluigi Paganini
December 01, 2011
Let we use these ingredients to start some serious reflection on safety issues related to mobile devices:
At this point what would happen if it turns out that it was possible to deploy an app on the device that is able to log the main operations performed on these systems. Communications, banking transaction , geographic locations, information about the preferences shown in the web browsing, a mine of information that uniquely qualify the holder. A massive espionage operation conducted for purposes not yet well known, at least I hope.
An Android app developer has declared that he has the proof that millions of smartphones are secretly monitoring all the above information. Amazing!
Trevor Eckhart has posted a video on YouTube showed how software from Carrier IQ recorded in real time every action made on the handset which he had reset to factory settings prior to the test. With a a packet sniffer he has demonstrated that while his device was in airplane mode how each numeric tap and every received text message is logged by the software.
It would seem that the software used is able to operate silently for which reason he wassingled out by the developer as a Rootkit, a software that enables continued privileged access to a computer whilea ctively hiding from its presence administrators by subverting standard operating system functionality or other applications.
The allegations were rejected by the development by the Carrier IQ, which argues thatlogging operations are random, not transferred fully to their own servers and used withdiagnostic purposes only. Frankly disappointing as a official communication and leaves too many disturbing questions about potential violations of privacy resulting from the events.
We have always discussed about a backdoor applications in devices such as processors and other large deployment unit, what happened could materialize the nightmare of many of us.
The Big Brother is constantly updated on our “experienced”. Who and why would commission such an application? Why is the application itself is present in the major handset vendors? Why has never been declared before?
Published article on the Register website conclude with this passage that I desire to share
“The 17-minute video Concluded with questions, Including:” Why does SMSNotify showand get Called to Be dispatch text messages to [Carrier IQ]? “And” Why is my browser onBeing read, HTTPS Especially on my Wi-Fi? “
Another coincidence …. few days after the surprise discovery a group of researchers announced they had discovered a vulnerability in devices with Android OS allows attackers to secretly spy That device usage.
HTC, Samsung, Motorola, Google and all devices are vulnerable. How is possible that the best development teams of the main Firms have missed this threat?
Whom and to what extent would have benefited so far? The spread of Android OS based devices are thin and the event is disheartening. Politicians, heads of state, police, ordinary people. All potentially exposed.
Just yesterday I was discussing with a friend enthusiast of the various jailbreaks for iPhone available on the Internet. Do we know how much consumers risk for these versions that include only some stupid extra features? And if the jailbreak is a cracked versions packed with the intent to spy and control us?
Are we really willing to put ourself the leash around our neck?
Pierluigi Paganini
2011/12/01
Let me add the following interesting material published on cryptome.org
http://cryptome.org/isp-spy/carrier-iq-spy1.pdf
http://cryptome.org/isp-spy/carrier-iq-spy2.pdf
References
http://www.theregister.co.uk/2011/11/30/google_android_security_bug/
http://www.csc.ncsu.edu/faculty/jiang/pubs/NDSS12_WOODPECKER.pdf
http://www.youtube.com/watch?v=T17XQI_AYNo&feature=player_embedded
http://thehackernews.com/2011/11/your-android-phone-is-spying-on-you-use.html
http://www.youtube.com/watch?feature=player_embedded&v=T17XQI_AYNo&gl=IT
