Droid phones vulnerable to snooping attack

| No Comments
Note: Pretty much any device that's connected to a public wireless network could be susceptible!

----
http://news.cnet.com/8301-27080_3-20063646-245.html

Most of the Android smartphones on the market are susceptible to an attack in which someone could access calendar and contact data over an unencrypted Wi-Fi network, a team of German researchers said in a new report.

The problem is fixed in the latest version of Android, but 99.7 percent of all Android devices are running older versions, they said. Attacks can be carried out over unencrypted Wi-Fi hot spots by an attacker sniffing an authentication token (authToken) used by the Android devices when they communicate with the Google services, according to "Catching AuthTokens in the Wild: The Insecurity of Google's ClientLogin Protocol," which was released Friday.

It is "quite easy" to launch an impersonation attack against Google Calendar, Contacts, and Picasa Web albums on newer Androids, and theoretically all Google services using the ClientLogin authentication protocol for access to its data APIs (application programming interfaces), the report said.

A Google representative confirmed that the latest version of Android, 2.3.4 for smartphones, and 3.0 for tablets does not have the problem. "We're aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we're working on fixing it in Picasa," he said in an e-mail statement.

Here's how it works. With the ClientLogin Protocol, applications request an authToken from the Google service by sending an account name and password via an HTTPS (hypertext transfer protocol secure) connection. The authToken is valid for up to two weeks and is used for subsequent requests to the Google service API. If the authToken is sent over unencrypted HTTP, an attacker could use network sniffing software, like Wireshark, to grab it, the researchers said.

"For instance, the adversary can gain full access to the calendar, contacts information, or private Web albums of the respective Google user," they wrote. "This means that the adversary can view, modify, or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user."

An attacker could grab multiple authTokens by setting up a Wi-Fi access point with the same name of a common wireless network provider, such as T-Mobile, Starbucks, or AT&T Wi-Fi and wait for Android phones with default settings to automatically connect to a previously known network and start syncing immediately, according to the report. Syncing would fail, but the attacker could capture authTokens for each service that attempted to sync.

Not only does this expose Calendar data, but also exposes information about users' contacts. An attacker also could change the stored e-mail addresses of contacts and the Google user would be at risk then of inadvertently sending sensitive information to the attacker instead of the intended recipient, the researchers noted.

"We tested this attack with Android versions 2.1 (Nexus One), 2.2 (HTC Desire, Nexus One), 2.2.1 (HTC Incredible S), 2.3.3 (Nexus One), 2.3.4 (HTC Desire, Nexus One), and 3.0 (Motorola XOOM) and with the native Google Calendar, Google Contacts, and Gallery apps (or respective synchronization services)," the report said.


This pie chart from Google shows that as of May 2 most Android devices were on older versions of the operating system.

This pie chart from Google shows that as of May 2 most Android devices were on older versions of the operating system. (Click to enlarge.)

(Credit: Google)

Calendar and Contacts apps transmit requests in clear text via HTTP up to Android 2.3.3 and are therefore vulnerable to this type of attack. Since Android 2.3, the Gallery app provides Picasa Web Albums synchronization, which is also not encrypted, the researchers said. In Android 2.3.4 the Calendar and Contacts apps began using an HTTPS connection, however the Picasa sync does not, they said.

Android users should update to Android 2.3.4 as soon as possible. "However, depending on your phone vendor you may have to wait weeks/months before an update is available for your phone," the researchers wrote.

Also, Android users should switch off automatic synchronization in the settings menu when connecting with open Wi-Fi networks and avoid using open Wi-Fi networks at all when using the apps.

Updated 3:34 p.m. PT with official Google statement saying its is working to fix the Picasa issue.


Enhanced by Zemanta

Leave a comment



 Where is James King?


 

Language Translation




 

Other Links:


 Main
 Public Trail Maps
 Archives
 CMS
 About/Contact
 Twitter @BruteForce
 Facebook
 LinkedIn
 Geocaching
 View DGP stats

 

My Audio & Video:


 Flickr
 YouTube
 Pandora

 

Elsewhere:


 ATV Utah
 Our ATV Obsession
 Bogley Outdoor Community
 ATV Escape
 Trish's Cake Shop
 Dennis Udink's Site
 Army Ranger
 Alex's World
 Grizzly Guy
 Adventure World TV
 WeatherCam: UofU
 Delta Bravo Sierra Comics  
 PowerPoint Ranger Comics
 Reversaroller ATV Winch

March 2022

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Recent Photos

About this Entry

This page contains a single entry by James King published on May 18, 2011 7:44 AM.

New tires for the Dually! was the previous entry in this blog.

USB 3.0 and Thunderbolt: Another standards battle in the making? | Crave - CNET is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.