Smartphones are either too smart, or not smart enough, apparently. It turns out there’s a number of interesting grievous security vulnerabilities in our cellphones lately.
The first to shiver your timbers is that Google’s Android is a lot less secure than – well, I can’t say anyone thought it was, because frankly, I don’t trust the security on any cellphone with a ten foot pole – but certainly less secure than most people could ever imagine their phone being. Research done at North Carolina State University by Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang is pretty clear about “explicit capability leaks” in Android which allows Android app developers to actually bypass the key security defenses built into Android, allowing apps access to personal information such as your GPS coordinates, or to functions such as text messaging or audio recording (yes, that means tapping your texts and phone calls is included in the capabilities), regardless of your security settings, typically caused by manufacturer-supplied “enhancements” to the base Android install.
Using a diagnostic app they call “Woodpecker” that can diagnose which of your security settings are actually compromised, they found these vendor-created vulns in Google, HTC, Motorola and Samsung brands. Other brands are certainly possible to be vulnerable as well, but were beyond the scope of their study.
Now, as if that weren’t enough, in highly related news and yet a completely different security hole, security researcher Trevor Eckhart has released some shocking evidence of just such a vendor-installed piece of software that completely and totally compromises the security of your smartphone. (Normally I would embed the video for you, but as requested in the video, I’m instead pointing you to the page itself.) This nasty bit of software, which I quite agree with his estimation that it counts as a rootkit, is called Carrier IQ.
Carrier IQ logs (nearly) every key press and button press that you make, meaning all your passwords are belong to … whoever is collecting that data. Carrier IQ also snoops on your text messages, snooping on them before the phone even manages to display them to you. It even bypasses the encryption meant to be in SSL / HTTPS.
Amongst other nasty things.
And Carrier IQ is not just an Android menace installed by the likes of HTC (on which Eckhart tested). In theory Carrier IQ software can be put onto any smartphone. There’s a version for them all. So is your smartphone affected? Here’s a quick breakdown of the scuttlebutt across various blogs:
Well if it’s Android, obviously there’s that possibility, since Eckhart used an Android phone and its debug tools to find Carrier IQ in the first place. So you’re probably infected.
BlackBerry? This one is a little confusing. It’s been alleged that Carrier IQ is on BlackBerries, and yet Research in Motion is adamant that it does not pre-install Carrier IQ, nor does it authorize its carriers to do so. Of course there’s nothing actually stopping its carriers from installing Carrier IQ anyway. So this would suggest that while RiM may be against using it, that doesn’t mean that your BB is in any way safe from it.
iPhone? Yep. It’s a definite possibility to be installed on your iPhone. Carrier IQ has been on the iPhone since iOS 3, and is still there. Though supposedly now with iOS5 you can disable Carrier IQ by turning off “Diagnostics and Usage” in your settings. (Settings->General->About->Diagnostics and Usage->Don’t Send.) And supposedly it’s a lightweight version of a violation, only reporting your phone number, your carrier, your country, your location, and your active phone calls. Oh … that’s not so bad then? Eh? Now, Apple is claiming that iOS 5 does not use Carrier IQ. However, evidence shows that it does, just that it can be turned off. So believe what you will. Just because it’s turned off doesn’t mean that it’s removed.
Symbian is a confusing one. There are a lot of reports saying it is so. And yet Nokia claims that Carrier IQ doesn’t even have any Symbian-based products, so it simply can’t be true. Carrier IQ doesn’t list OS compatibility on their website anywhere that I can find, so I really can’t verify this one way or the other.
webOS … This one has even less information on it. It’s claimed, a lot. But often in generalized sweeping statements. I haven’t seen anyone offer definitive proof positive. Nor refute it. Given that it’s kind of a dead OS anyway, sold from Palm off to HP who has now abandoned it, it’s not much of an issue. But if you have proof one way or the other, I’m sure everyone would love to know with certainty.
Windows Phone 7? Strangely enough, so far it seems as if this is the only smartphone OS to be absolutely safe from Carrier IQ. How weird is that?
The key thing to remember with Carrier IQ is that this is not software designed to be pre-installed with the phone’s operating system. It is third-party software. Maybe it is installed by the manufacturer. Maybe it is installed by the carrier. (As the name suggests.) There are a number of points where Carrier IQ can be installed on your phone. So just because one company refutes that they use Carrier IQ doesn’t mean that your phone hasn’t had it installed by another hand involved.