The storm over smartphone monitoring specialist Carrier IQ's hidden software continues, as the security researcher it threatened to sue proves that the so-called 'rootkit' installed on smartphone handsets monitors every single keystroke made on the device.
The company, which counts smartphone giants HTC and Samsung among its customers, produces a secretive piece of software for monitoring precisely what goes on when a user pokes away at their smartphone - ostensibly to provide carriers with bug reports and performance information.
Carrier IQ's secretive software is installed by default and near-impossible for an end user to detect. It can be found on Android, BlackBerry and Nokia handsets if you know where to look, and was uncovered by security researcher Trevor Eckhart in an expose that earned him a cease and desist letter threatening a $150,000 court case if he didn't shut up.
Eckhart, naturally, got the Electronic Frontier Foundation involved, and Carrier IQ wisely backed down and apologised for its knee-jerk reaction. "Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart," the company's snivelling apology read. "We sincerely appreciate and respect EFF's work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world."
Intrigued that Carrier IQ has backed down pretty easily - given that he'd referred to its software as a 'rootkit', a type of malware difficult to detect and clean, and certainly not what an apparently law-abiding company would be happy with as a product description - Eckhart investigated the company's claims of innocence.
The most interesting feature of Carrier IQ's explanation for its software was its claim that it "does not record your keystrokes," meaning that smartphone users should not worry about their privacy overly much. Sadly, Eckhart's investigations prove that this was not the case.
In a video posted to his website, Eckhart shows the hidden Carrier IQ software in an HTC Android handset reporting every single keystroke he makes as he searches for 'hello world' on Google - despite having an encrypted connection to the site.
It's a major blow for the company: not only has it been caught out in an apparent lie, but it raises major privacy concerns. If, as Eckhart's research suggests, the Carrier IQ software is monitoring every keystroke, that means that the company is privy to the contents of every single internet search, dialled telephone number, sent SMS, chat log, and potentially usernames, passwords and credit card details entered into the browser.
It's a nightmare scenario for privacy activists, and it appears that Carrier IQ is about to find a serious spotlight shone on its activities.
Eckhart's video demonstrating the keystroke monitoring capabilities of the company's software is reproduced below. Carrier IQ has not responded to a request for comment at the time of writing.