Researcher’s Video Shows Secret Software on Millions of Phones Logging Everything

The Android developer who raised the ire of a mobile-phone monitoring company last week is on the attack again, producing a video of how the Carrier IQ software secretly installed on millions of mobile phones reports most everything a user does on a phone.

Though the software is installed on most modern Android, BlackBerry and Nokia phones, Carrier IQ was virtually unknown until 25-year-old Trevor Eckhart of Connecticut analyzed its workings, revealing that the software secretly chronicles a user’s phone experience — ostensibly so carriers and phone manufacturers can do quality control.

But now he’s released a video actually showing the logging of text messages, encrypted web searches and, well, you name it.

Eckhart labeled the software a “rootkit,” and the Mountain View, California-based software maker threatened him with legal action and huge money damages. The Electronic Frontier Foundation came to his side last week, and the company backed off on its threats. The company told Wired.com last week that Carrier IQ’s wares are for “gathering information off the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life.”

The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim.

In a Thanksgiving post, we mentioned this software as one of nine reasons to wear a tinfoil hat.

The video shows the software logging Eckhart’s online search of “hello world.” That’s despite Eckhart using the HTTPS version of Google which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google.

Cringe as the video shows the software logging each number as Eckhart fingers the dialer.

“Every button you press in the dialer before you call,” he says on the video, “it already gets sent off to the IQ application.”

From there, the data — including the content of  text messages — is sent to Carrier IQ’s servers, in secret. (See this update debunking that.)

By the way, it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ.

It’s not even clear what privacy policy covers this. Is it Carrier IQ’s, your carrier’s or your phone manufacturer’s? And, perhaps, most important, is sending your communications to Carrier IQ a violation of the federal government’s ban on wiretapping?

And even more obvious, Eckhart wonders why aren’t mobile-phone customers informed of this rootkit and given a way to opt out?

Federal Judge Orders Google, Facebook to Disappear Hundreds of Sites

After a series of one-sided hearings, luxury goods maker Chanel has won recent court orders against hundreds of websites trafficking in counterfeit luxury goods. A federal judge in Nevada has agreed that Chanel can seize the domain names in question and transfer them all to US-based registrar GoDaddy. The judge also ordered “all Internet search engines” and “all social media websites”—explicitly naming Facebook, Twitter, Google+, Bing, Yahoo, and Google—to “de-index” the domain names and to remove them from any search results.

arstechnica

The case has been a remarkable one. Concerned about counterfeiting, Chanel has filed a joint suit in Nevada against nearly 700 domain names that appear to have nothing in common. When Chanel finds more names, it simply uses the same case and files new requests for more seizures. (A recent November 14 order went after an additional 228 sites; none had a chance to contest the request until after it was approved and the names had been seized.)

How were the sites investigated? For the most recent batch of names, Chanel hired a Nevada investigator to order from three of the 228 sites in question. When the orders arrived, they were reviewed by a Chanel official and declared counterfeit. The other 225 sites were seized based on a Chanel anti-counterfeiting specialist browsing the Web.

Holder Asks America to Remain ‘Vigilant,’ Report Intellectual-Property Crime

The War on Terror seems so yesterday.

On Tuesday, Attorney General Eric Holder urged Americans to fink on their neighbors and report intellectual-property offenses like popping or hawking unapproved pharmaceuticals and downloading music and movies illegally.

The announcement at the White House came as the Justice Department kicked off a public campaign against intellectual-property theft, which like all successful wars against societal scourges, will have public-service announcements on MTV.

“Fortunately, we can all be part of the solution. Anyone who suspects an IP crime can visit cybercrime.gov, fbi.gov, or iprcenter.gov to report suspected offenses,” Holder said. “The public’s proactive attention to these issues can help us to disrupt the sale of illegal goods; to prosecute the individuals, gangs, and international criminal organizations that profit from these activities; and to stop those who would exploit the ingenuity of others for monetary gain.”

So far there’s no word on what kind of reward you’ll get for reporting your teen sister for using an app to turn a Miley Cyrus YouTube video into an MP3, but surely you’ll get at least a Scouting badge for your loyalty to Big Content and the American Way.

The announcement shouldn’t come as a surprise.

The Justice Department under President Barack Obama has seen a sea change in attitude when it comes to intellectual-property enforcement, which could have been predicted by the number of former Recording Industry Association of America attorneys appointed by the Obama administration. (Hollywood votes and donates Democratic).

In contrast, the terrorism-focused George W. Bush administration shunned calls for the Justice Department to attack illicit websites hawking counterfeit goods and unauthorized copyright material. In the last year, however, Holder’s office has seized 350 websites under a program called “Operation in Our Sites” — with 150 seizures announced Monday.

The attorney general said rights holders need Americans’ help, not just the government’s. He said the United States is “encouraging the American people to become vigilant partners in identifying and disrupting intellectual property crimes.”

“Intellectual property theft,” he said, ranges from “counterfeit consumer goods and pharmaceuticals to illegal downloads and other pirated materials.”

The government, Holder added, “won’t be able to win this fight and keep pace with today’s criminals alone. Our efforts will always depend not only on law enforcement activity and industry partnerships, but also on robust public engagement and the vigilance of the American people.”

While we applaud the idea of installing keyloggers on friends’ computers to see if they are undermining the country’s economic recovery, asking America to be on the lookout for terrorists and intellectual-property infringers at the same time could be confusing.

Say, for instance, you spot an unattended, and possibly counterfeit Gucci bag in an airport? Who do you call first: The Transportation Security Administration or the Justice Department?

Photo: The Associated Press

Hackers Can Remotely Set Ablaze HP Printers, Researchers Say

A security vulnerability discovered in Hewlett-Packard printers would allow hackers to steal data from the printers, cause them to burst in flames or be used as a launchpad to attack other computers connected to the printers.

The flaw lies in the design of HP’s LaserJet printer models, and possibly other printer models as well, which allows the firmware on the printers to be upgraded remotely, according to MSNBC, which first reported on the vulnerability.

Each time the printer accepts a print job from a computer, it examines the job for any software updates that might be included in the request. Because the HP firmware doesn’t require a digital signature to verify that an upgrade is authentic, attackers can send specially crafted files to the printer that contain malicious code. They can do so remotely if the computer is configured to print jobs sent to it over the internet.

The researchers, conducting a quick scan of the internet, were able to find 40,000 devices connected to the internet that they said could be quickly infected in this way.