99% of Android phones leak secret account credentials The vast majority of devices running Google's Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant's servers, university researchers have warned. The weakness stems from the improper …
I went ahead and installed Kies specifically because of this article. And Geoff Campbell, I'm well aware of Gingerbread ALLEGEDLY about to be rolled out since I did just post the link about it up there.
My Kies information:
Current firmware version: PDA:U7 / PHONE:JKS / CSC:U5 (CPW)
Latest firmware version: PDA:U7 / PHONE:JKS / CSC:U5 (CPW)
So no, Samsung do not update regularly, and never have. That is unless I bought a Tab that's been sitting in the warehouse for however-long with the latest firmware somehow magicked onto it. Their Android update support is infamously crap, hence my utter surprise at this latest announcement.
Also is it just me, or is Kies an awful, slow POS that makes iTunes seem almost slim?
I got a lot of Samsung stuff here down to fridge and let me say something: Do NOT buy anything Samsung until they act like a real big brand. I don't talk about sales/hardware specs, I speak about a company who can have english typos (yes, typo) on their pages.
Ask their Symbian users how they got abandoned without any reason and how firmware hackers, actually engineering for free creates miracles.
I personally make sure to 'forget' networks that I don't personally have any control over.
I would also note that my phone* will actually not remember networks with common names (seen this happen with an AP named 'NETGEAR') to prevent you accidentally trying to connect to any old AP.
* Not android.
I can understand those that want to look chic having a coffee and browsing their iTard 4.fail - but for the sake of checking emails or facebook on the go I can't see the point - after faffing and connecting to it 3G would have updated it anyway.
Anon so the fanbois don't lynch mob me! I have an iPhone, but hopefully for not much longer....
You've never used a public Wifi network, even when abroad, at a airport, hotel, conference, cybercafe... I guess you always go and buy local SIMs with generous data plans even in countries that don't sell them?
You wouldn't get pwned if Google encrypted this information as they should. Don't blame public wifi for this problem.
Who blamed this problem on public wi-fi? That was a little party going on in your own head alone it seems. The point was simply that free public wi-fi is often completely unsecured.
As an Android user whose network hasn't deigned to put out Gingerbread 2.3.4 for my handset it does concern me that Google has been sloppy with security for earlier incarnations of Android. Us geeks can make a judgement about the risks of connecting to insecure wi-fi (again, that was implicit in my point) whereas most lay Android users will take the view: "Yay! Free wi-fi!"
Well AC 08:39 did.
You as well, but in disguise. Who hasn't been abroad with their smartphones and said "Yay! Free wi-fi!", get real.
Now I know not to use certain services over untrusted Wifi, but apparently Android will go right ahead and sync my calendar and contacts with insecure authentication tokens as soon as it connects.
You have to remember that while you may remember all that or even do that kind of thing day-in day-out, most people want a phone to work like their car, TV or fridge. Switch it on and use it as per manual, they do not want an appliance to have to require 6 weeks of evening college to understand.
The last time my dishwasher conk out I didn't bother getting the Zanussi service manual and pulling the back, I was paying for extended warranty so I called up whomever it was I paid, told them the problem and they sent a bloke out within 4 hours to fix it, job done. Same with PCs, phones, cable TV recievers, fridge, cars, a lot of us have other priorities in our lives so we pay for the convenience of someone else to fix stuff when it's broke. It may be odd to some, but that's the way life works today.
Even most Linux users who claim to be technical never go beyond point and click.
You forgot about back-up, reboot, make depend .... But then, by the snide attitude and complete ignorance of the vast majority of mobile telephone usage, I take it that your UNIX knowledge is just as thin, wonderful as your ability with a search engine may be.
Oh, and you must have "jail-broken" your mobile. Last time I looked, HTC, for instance, did not have a supplied terminal emulator as standard (last week) and a colleague's Samsung has got one installed, but no access to any useful shell commands. (I know, I'm a UNIX fanboy: to me UNIX is a command line/shell driven system on which I can do real development or write natty scripts in ksh, perl or python or awk or ... to make life easy).
So drop the pomposity and know the difference between a telephone (even a "smart" one) and a computer (in the sense of a device into which one logs in and runs a choice of programmes, operating system etc.). A mobile has to work as a reliable, secure communications device for all users, while complying with regulatory, contractual and safety rules and regulations covering the use of telephone networks and frequencies; It should be simple to use with no apparent user maintenance, any more than the long established land lines or basic mobiles such as those supplied for years by Nokia and other suppliers.
"A mobile has to work as a reliable, secure communications device for all users, while complying with regulatory, contractual and safety rules and regulations covering the use of telephone networks and frequencies; it should be simple to use with no apparent user maintenance"
s/mobile/computer/
s/telephone/computer/
Are they really that different? Not according to your definition. Dig deeper.
You're also deluded about Nokia, I had to take quite a few to the service centre for updates because they would crash, go mad, lose contacts, etc - this was before remote updates came about, which just meant you had to do more updates but now at least you could do them at home.
I call that a lot of user maintenance, not unlike computers actually.
Android isn't some nerd's garage invention, it is the market leader and it has a very precious thing: google account credentials.
So it targets general public, not Debian owners who doesn't even need X11 installed. That -was- Neo phone which failed (thanks to hypocrisity of FSF fanatics) miserably.
Checking my posts "thumbs down", they also have unhealthy community of fanatics too. All I said was reminding the fact that it is a general public device and if Google doesn't knock these idiot vendors door soon, some catastrophe is waiting to happen.
You CAN'T deny security updates in 2011, that is also some trainwreck scandal waiting for Apple too (3G iPhone). If it happens, everyone will hear it and governments and carriers will really be pissed off with it. I don't say "free major updates", I say same major version+security update. No new features, just make sure your customer doesn't lose all their real life money.
So from what I understand this also affects those of us using the supposedly more secure 2-step verification authentication, for apps that use an application specific password - which lets be honest are all of them?
Why did I even bother turning it on and jumping through the all the hoops of using it.... setting up was a mess, apparently they haven't gotten around to support it well in Android, and now this.
Well done Google, authentication tokens over plain HTTP, top marks for stupidity. Can't even imagine what's in that Honeycomb source code now, if even they admit to having made "shortcuts".
It's all a smear campaign, can't you see? Smear smear smear. There is no issue here, passwords have been sent plaintext for ages without any problem whatsoever. Plain text auth tokens are just like plaintext passwords 2.0. Super cool. (anything else is a smear)
We even had our streetcars drive around collecting unencrypted Wifi packets to study in depth how this is such a non-issue.. Out of millions of networks we only collected hundreds of thousands of passwords, it's a whole order of magnitude less, so no worries. Did we say smear yet?
The real story is some very evil PR company paid for by ( Microsoft | Apple | Facebook | Vatican| Scientology| Aliens) asked some very naughty professors to claim this was an actual issue. Can you believe it? Now is that evil or what! Bad bad professors.That is the real problem, not this password thing which is so good it tastes like strawberry. Smear.
Hey look behind you, is that a giant ice cream sandwich? Yummy, all smeared in chocolate.
ps: If any of the professors is reading this remember when we said location data from Android phones was stored with a hashed version of an anonymous token, which is deleted after approximately one week? Well turns out the hash is pretty unique, the "approximately" is exactly just that and the anonymous, well.. >:-> Don't call us, we'll be in touch.
The beauty of modern corporate fuck-ups is how well they scale. This wouldn't be possible in technologically inferior societies, so quit crying about every little bitty breach of 100 million or so.
Yay for progress!
This message brought to you by the Luddite Hammer Company.
Um....
and this is different to any other man in the middle attack how??
Bottom line is regardless of what device you use to access the internet - unsecured wireless hotspots are ALWAYS a danger!
How many people do you think update their facebook over free WiFi?
How many of those people do you think even know that facebook provides a https option if you turn it on in your account?
I would be willing to bet that 90% of people using facebook over an unsecure wireless network are doing so with using https.
If you use Farcebook you don't really expect any security do you? All it takes is one of your "friends" account to be hacked and your info's spammer (or worse) fodder.
However I'd think users of Google's Calendar or contacts would expect a bit more.
I don't personally use Calendar but now quite a few people who manage their lives around it. I don't think they'd be happy sharing that with strangers in foreign places (where there's no real option than to use local public Wifi)
"99% of Android phones leak secret account credentials"
I don't think any *credentials* are being leaked here. It seems that the cached plaintext 'auth successful' file. Sure this would allow attackers to automatically gain authentication with services - but it doesn't appear that it actually leaks the account credentials themselves (passwords, usernames, etc).
Concerning, nonetheless.
Indeed. Had a further chat with the author and I can see your point. I think I do still draw a line between 'leaking a temporary token' and 'leaking a username and password that can be used anytime, anywhere' (until they get changed, of course). Most passwords online do not expire and it's only through intelligent security processes that you'll ever see a password get changed... not something that's done often. A temporary token though? It expires. While it's active sure, the attacker can abuse it for all its worth, but once it has expired they need to hunt down a new one.
I stongly dislike Google's tentacular approach to user data as much as (and maybe more than) everyone; however the headline is plain silly.
99% apps are rejected from the app store -because face it, noone knows the rules
99% of windows computers are part of a botnet -because any one of them might be at some point
99% of linux boxen are utterly unusable -because who hasn't encountered a kernel crash
99% of phone conversations are recorded by USA spooks -can you prove me wrong?
99% of computer parts are faulty - well they will fail at some point won't they?
99% of car drivers to die in a collision with a firetruck -well, it has happened before, it can happen again.
99% of articles having "99%" in their headline are either junk or going for the easy attention-grab trick -no comment.
But again, that's why I read El Reg!
The title says 99% *leak information*, which is true.
It's not something that may happen or happened once in the past, it's something that does happen every time they're on Wifi (and btw, even if you encrypt with WEP or even WPA - the latter under certain conditions - these have been easily hacked)
"The title says 99% *leak information*, which is true." Erm, no its not?
Some models/versions (probably most) are vulnerable to a man-in-the-middle impersonnation attack when authenticating through unsecured connection. Which means, it's only slightly *more* secure than your average unsecured authentication (only a "one-time" token can be stolen, not your actual permanent credentials). That's not exactly "leaking information" in the sense that most people would understand. As for the 99% figure, it's simply pulled out of thin air.
I'm not saying that there's not an issue here, I'm just saying that the title makes it bigger than it actually is. That said, if I didn't like my tech story with a bit of added spice I wouldn't read El Reg.
I think you didn't read the actual article (not this summary, the actual research one)
There no difference in vulnerability here, if the phone is running anything lower than Gingerbread 2.3.3 it'll be sending plain text authentication tokens to Google for the Calendar, Contact and Picasa sync.
The 99% number is the percentage of Android devices that are not on 2.3.3 yet. All those devices are doing this.
H
A single-use token can be intercepted when using non-encrypted connexion (that's what you call "plain text" I presume; I'd say it's hardly text, but yes, it's unencrypted. That's the whole problem with unencrypted connections).
That's "leaking information" as in my "99% of computer are faulty" above. Normal people call it "vulnerability to a man-in-the-middle attack". And not the most serious kind either (not that it's not serious; it could just be worst). It is a LOT less dangerous than transmitting your actual username and password, for example, as here all the man-in-the-middle attacker can do is log in in the very service that token was issued for (no credential re-use issue as "ho shit I use the same password for iCalendar and for banking"), and for 14 days "only". Still serious enough, especially on mobile devices which can be expected to connect through insecure networks.
And again, it's not a spontaneous data leak, it's vulnerability to a man-in-the-middle attack (although the title was changed since I posted my first comment; it is less misleading now).
As for the 99%, my objection was that it's assuming that all owners of an "old" Android device are using it to authenticate via unencrypted connections through unsecured networks where there happens to be someone logging that particular type of tokens and using it to implement the attack. It takes all that for any information to actually leak. So I doubt the actual figure is 99%.
I don't say that the title is absolutely completely false, I just say that it's not absolutely true either. That's why I said "misleading". But I don't have any particular problem with that, especially not on El Reg.
OK, supposing that the Android system is compromised and that this isn't a M$ smear campaign.
My HTC phone is branded by Orange and still has Android 2.2 because Orange's updates are always way behind the real release. I can't load vanilla Android without voiding my warranty so Orange are now putting all of their customers at risk by not supplying an update.
My question is this: If there is a real security threat, do Orange now have the right to require all of its users to stick with their "version" of the OS on the phones they supply?
It sounds very much like the same issue that Firesheep was getting at, unsecured authentication tokens on unsecured networks. Yes, I would expect better from Google services, but surely this problem happens on any device that connects to insecure networks.
Android is so tied to Google services that on some devices, deleting your gmail account may wipe the entire device.
I mean if you don't like Google's stance on prlvacy etc, just don't buy a device with Google OS. Not saying "buy that instead", I am in similar situation and may end up with a small netbook+dumb phone.
This is the most amazing thing coming with iPhone. They somehow managed to convince/force all network operators for updates in Sync.
As a person who had to hack his Nokia E71 product code to get updates in same time, I have to admire them.
If iPhone OS was a OEM thing, I am sure they would make sure these idiots (networks,device makers) do the same thing too. Apple doesn't mercy when it comes to update policy and roadmap.
Sad thing is, android and ios, that is all left to choose.
With HTC and many other vendors locking phones to android 2.1 things (e.g. htc hero) are worse than highlihgted here. Many phones come with 18-24 month contracts. The makers of the phones are refusing to offer the newer OS's for phones that may only be a few months old leaving users stuck with insecure versions.
If my phone is attacked due to their negligence who is to blame?
Shame on them
I just had a quick look at the ClientLogin API, and it mentions the use of HTTPS... it also mentions it isn't compatible with 2-step authentication (whuch should make davidp1 happy)
Did anybody verify the issues mentioned?
I'm not an Android user, and use HTTPS and SSH anyway...
Unfortunately even if it's incompatible with 2-step authentication, ClientLogin is what uses Google uses in their phones.
That means when we do activate their 2-step stuff we have to create multiple application specific passwords to get Android to work, which are then used for (what we now know is) just ClientLogin.
I can't confirm non-HTTPS use, but Rice University is not your typical rumour mill and I doubt an associate professor such as Dan Wallach would put his academic career and good name at risk over this, so until proof to the contrary I'll take his word for it.
This is _exactly_ the kind of thing which will turn android into "windows for phones". High volume, and a lucklustre and throwaway attitude to security.
It's the same reasoning which has left the "install whatever the hell I want" switch in the settings menu.
If the industry doesn't wake up Apple will wipe them all out - not due to a single issue like this, but because, again and again, the fragmented players who exist in the android space won't play ball with each other, or google, and google won't play with them either.
It's the perfect environment for exploitable security holes to flourish, for multiple platforms and specifications to befuddle application developers and result in lowest common denominator applications using the oldest API available for maximum compatibility... a whole host of issues stemming from Google's management of the android experiment (let's face it, they're still in beta as usual).
I hope the ice cream sandwich they're planning unifies and places some strictures or some god-awful vulnerability across the entire platform will result in a global bollock-up of PSN proportions.
Who cares if one looses control over ones facebook account. Surely you could phone all your friends and tell them to un-friend you, and then befriend you on your newly created FB account!
Side-tracked there: are we discussing something else...
This only works if you are using open unencrypted wifi and that the attacker spoofs your wifi sitting just outside your door. We all know the dangers of using unencrypted wifi without https apps, it's the same on your Laptop, which is why last year Google turned all its web apps to https by default. 99% of Android users DO NOT currently use their phones on unecrypted open wifi so this attack is pretty much useless regardless of your Android version, Apple's gps tracker is much worse.
You mean the same GPS tracking as Google? What a Googletard your are.
I'd bet good money that cat least 90% of Android users have been on unencrypted wifi one time or another, especially since the device connects to them by default.
Not that it matters anyway since even most encrypted Wifi networks can be hacked very quickly.
Plaintext text auth of any kind should be a punishable crime. We've known about this since people started dropping telnet for SSH - that was 16 years ago!
Funny, my Galaxy Tab doesn't. Neither does the ZTE Racer. Neither did the Commtiva N700. Neither does a friend's Galaxy i7500 (the one that Samsung rather unforgivably dumped and left with 1.x). Neither does the Dell Streak. Or the Motorola Xoom. In fact I have yet to see a single device, Android or otherwise, that automatically connects you to an unknown network without some serious hackery going on.
Are you sure you haven't just remembered an open access point called "NETGEAR" or something, and still have its profile? Android (and a lot of other OSes) uses the SSID to determine network identity, which is really annoying when you have two people, with two different security set-ups, who both have routers called "dlink".
Try locating the offending profile and giving it the old heave-ho. Shouldn't be too hard. Tap on the entry then select "forget".
By the logic of the title of this article, 100% of all Windows/Linux/Mac/*BSD laptops in use leak secret account credentials because somebody coded an application that doesn't use transport encryption for session tokens. And I can assure you that that's true for every single platform with more than 10.000 users worldwide.
To bring some facts into this, since The Register reporters are too busy writing ill-informed articles with missing pieces...
ClientLogin is an interface to get auth tokens for Google services (such as Calendar, Mail etc). The graphic in the docs (https://code.google.com/apis/accounts/docs/AuthForInstalledApps.html) explains it quite nicely. You let the user enter credentials, get a cookie and can then access the service. That's a pretty standard operation and nearly all popular services that serve third-party clients use something of that form (OAuth is an extended version of this scheme, and OAuth is used by quite a few large services such as Twitter).
If the application utilising ClientLogin uses some form of transport encryption (which is really just the exact term for SSL aka "https" in this case), you're a-ok. This is what applications CAN do. They CAN perform Google API in an end-to-end encrypted manner.
The big mistake is (as so often) letting coders do the wrong thing. Applications CAN also use the unencrypted form, as in "no SSL", and in this case that's even what Google Calendar and whatnot is doing.
So, who's the culprit here? Still Google, but not only them. Google not forcing devs to use transport security AND devs having no damn clue of security (because security is hard and education on the subject is done by grumpy cynical elitists like me) and not using transport security equals FAIL.
What to do? Not much, sadly. If you must use unencrypted connections (such as public WiFi [WEP encrypted ones count too, really, but it raises the effort required]), the same applies as usual: Tunnel everything through a VPN or do something of that sort to reduce the amount of people you have to trust. Tell the devs of the apps you have on your phone that use Google services (I think that's a permission, so you could probably check that, not sure) to switch to HTTPS. It requires no real extra effort, everything is already there. In many cases, that's a SINGLE CHARACTER the coder has to change.
I'll go back to my security cave now and be passive aggressive about stupidity there. Cheers.
Couldn't you read the article? Let me make it uppercase for you as you seem to like that style.
The problem here is that it's GOOGLE who IS NOT USING transport layer security (aka HTTPS) for connecting to THEIR OWN SERVICES from Android including:
* Calendar Sync
* Contacts sync from their Android phones
* Picasa Gallery Sync
So it's Google's own damn fault they didn't change that SINGLE CHARACTER you mentioned.
Maybe you should get out of that cave more often?
It's a game played by a large % of Android users, some flavors even make it stupidly easy to do so.
Either way you twist it doesn't excuse Google from not using encryption to authenticate to their services. They even have that as a best practice in their own documentation for developers FFS, why not follow it.
Uhm, you do know that phones have been able to run apps for several years before the iPhone was a twitch in el Steve-o's pants? It's called Java/J2ME, and there are snoop apps for bog standard Nokia "dumbphones" too.
And no, the PI would not be able to just "send it to your phone". Google and Apple might be able to do sneaky things like that, but your wife's PI has absolutely no chance. They'd have to have access to the device, and even then you might notice an extra "McSnoopSnooperson" app in the list that wasn't there before.
So, carry on banging the secretary, eh?
Why is it the world never remembered the name of Johann Gambolputty de von Ausfern-schplenden-schlitter-crasscrenbon-fried-digger-dangle-dongle-dungle-burstein-Von-knacker-thrasher-apple-banger-horowitz-ticolensic-grander-knotty-spelltinkle-grandlich-grumblemeyer-spelterwasser-kurstlich-himbleeisen-bahnwagen-gutenabend-bitte-ein-nürnburger-bratwurstle-gerspurten-mit-zwei-macheluber-hundsfut-gumberaber-shoenendanker-kalbsfleisch-mittler-aucher von Hautkopft of Ulm?
It's Google too. Google wants control and know everything. They have corrupted their own system.
But it's all a security risk. We should be able to use wifi. But they have stop spying on people and tighten up their security. Or there is really no point......
We just view pages but transmit any personal data. Go home and use a local Lan. Or get out of the house and do our own shopping.
They gotta controlling everything and typed up security. Or there is no point to internet.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
