Security Market Segment LS
Sunday, 19 June 2011 22:52

Android security hole - an update


Despite resolving the issue of how the tablet acquired the WiFi credentials raised in the previous tale, there are still significant issues regarding the storage of such information in a cloud environment.

Following iTWire's report of a security issue with Android's WiFi connection, some resolution has occurred, but many of the main issues remain.

iTWire's previous report suggested that somehow, the WiFi credentials magically transferred themselves from the Google cloud to the tablet.  Fortunately that was resolved when the user concerned (referenced in the previous article) finally recalled that he'd in fact connected to his home WiFi network and logged in with his Google account.

However, that does nothing to dispel a certain disquiet about the whole thing.  Allowing for the slight error made by the original protagonist (let's call him 'Fred' for the purposes of simplicity), we can restate the incident as follows:

Fred buys a new Android device, turns it on, connects to his home WiFi network and logs in to his Google account.  Very quickly the device is informed, via a background download, of every WiFi network Fred has connected to on any of his other Android devices.  We know this because it is given the details for networks that are tens of kilometres away; and clearly the device hasn't visited them (yet!).

So, all this requires is a Google account (a Gmail account is enough), nothing more.  When iTWire raised the issue with Google, their representative asserted that the ability to copy WiFi credentials to the cloud was a user-configurable option and sent screen shots of how to alter the setting; unfortunately, on this writer's phone (an HTC Aria running Android v2.2), despite extensive searching, no such privacy menu was available (clearly I have no privacy!).

Let us test the claim of user configurability (notwithstanding my own lack of a 'privacy' menu).

Numerous posters to "Fred's" tale reported that the setting to copy WiFi credentials to the cloud was ON by default; in fact to this author's recollection, there were no respondents claiming that a brand-new device had this setting turned off.  And it is churlish in the extreme to suggest (as many have in response to previous articles) that if people can't figure out these settings, they shouldn't have a smartphone.

Note, both my telco and Google have been invited to respond to this discovery.

So, on the quite reasonable assumption that a new android device (phone, tablet etc) is configured to use this feature automatically, and a good number of owners will not have the knowledge or foresight to disable it, Google could reasonably be assumed to have SSID and WPA encryption keys for a very significant, perhaps most WiFi access points around the world.

Certainly there will be a certain degree of flux as users discover the feature and, weighing up the privacy vs. ease-of-use will choose to remove the storage (note, disabling the feature will also cause any stored credentials to be deleted - of course they'll be deleted, Google promises).

Consider the furore that arose with the 'accidental' capture of unencrypted WiFi data by the StreetView cars, and the strident, yet totally erroneous claims by Communications Minister Conroy that banking data may have been collected (oh, how mighty are the stupid?) - data that was assessed as being possibly only a few seconds of transmission for each location.

Now consider what the effect might be of Google (should they ever choose to) being able access any and every WiFi hotspot in the world. 

By the way, it was never possible for the StreetView cars to access banking details; EVERY banking session is fully encrypted independently of the encryption (or lack thereof) used in the WiFi session.

So, given all this, what might we expect?


Number one (and second is clear daylight), the Feds (or whatever they're called in your country of choice) will be *very* interested in obtaining (legally sanctioned, of course!) access to whichever WiFi hotspot they're currently interested in.  They now know the information is stored by Google and are easily able to get it by court order.

"Oh dear, sorry, the WiFi you're interested in is one of the 0.53% to which we don't have current access credentials; sorry."

Ah huh.

And if the Feds have access, so does every criminal, marital and civil litigant in every court of the land.

Not only that, but we have already seen how porous the Google security is with the various 'Chinese' intrusions; and thus who knows how easy it is for anyone else to make their presence felt.

Sometimes we find that some simple shortcut we take to make life easy ends up not just biting us on the arse, but taking said bodily part clean off.

Oh, and Mr Google, why is it I can't turn this feature off?



Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.




Denodo, the leader in data virtualisation, has announced a debate-style three-part Experts Roundtable Series, with the first event to be hosted in the APAC region.

The round table will feature high-level executives and thought leaders from some of the region’s most influential organisations.

They will debate the latest trends in cloud adoption and technologies altering the data management industry.

The debate will centre on the recently-published Denodo 2020 Global Cloud Survey.

To discover more and register for the event, please click the button below.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Channel News




Guest Opinion