Dec 1, 2011

Your LastPass account is safe on Carrier IQ enabled mobile devices

When we read what Trevor Eckard found regarding logging being done by an application installed by default on a number of HTC and Samsung based Android phones, we were concerned about just how far this Carrier IQ keyboard logging went.

We had to know if any of our users were at risk, so we could alert them to any danger. We replicated Trevor's findings, which he explained in his post on AndroidSecurityTest.com (the site seems to be intermittently down):  http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/

He also posted a YouTube video, now making it's way through the media, showing his tests:



We saw the same log entries Trevor saw when dialing phone numbers, and receiving SMS, so that is confirmed.

We did not see any log entires when using the general keyboard though, including when typing into our LastPass for Android app and our LastPass for Dolphin HD app.   The LastPass pin code entry does not utilize the phone keyboard so that is safe as well.

This is very good news as your LastPass account - and most importantly, your master password - is safe on your Android phone even if Carrier IQ installed.

Please note that utilizing a multi-factor authentication device like Google Authenticator with your LastPass account would protect you even if an application was logging keyboard events, so it's highly recommended.

We'll continue to monitor the situation and assess potential risks to LastPass users.

The LastPass Team

6 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Great to know. Thank you for updating us LastPass. This is another reason why I appreciate you willing to assure your users with things like this. You just got a new mobile app customer.

    ReplyDelete
  3. So, when are you going to show a video proving such?

    ReplyDelete
  4. In addition to LastPass - we use Duo Security (www.duosecurity.com) for two-factor authentication. Duo Security allows users use their mobile phones to secure their log ins, VPN's etc. I could not be more pleased with their service, and confident that our information is secure.

    ReplyDelete
  5. Ahhh, Google Authenticator probably isn't the best example here, as if this was recording LastPass details, they may have the phone, which means they'd have access to any Google Authenticator app on your device. Also, if this is sort of a rootkit, then it likely provides access to your files remotely if needed, which could mean they could find your tokens and sync their own devices.

    Correct me if I'm wrong.

    ReplyDelete
  6. Thanks guys -- keep up the good work!

    ReplyDelete