According to The Register’s Dan Godin, the vast majority of devices running Google Android are vulnerable to attacks that allow others to fairly easily steal account credentials, contact information, and other sensitive data stored on Google’s servers.
The news comes to us from researchers at Germany’s University of Ulm, who say that after a user submits valid credentials to Google for calendar, contacts, and possible other accounts, the software retrieves an unencrypted authentication token sent in clear text, which can be used to access that content unauthorized for up to 14 days.
The vast majority of devices running Google’s Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant’s servers, university researchers have warned. The researcher’s stated:
We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis…The short answer is: Yes, it is possible, and it is quite easy to do so.
These concerning findings build off of previous findings of Dan Wallach, a professor at Rice University who detected similar Android privacy flaws affecting Twitter, FaceBook, and Google Calendar – he discovered them without much effort, during a simple exercise for his undergraduate security class. The attacks he found can only be used when devices are connected to unsecured networks.
Google patched that security hole earlier this month with Android 2.3.4, but that version can still be undermined, causing devices syncing with Picasa web albums to transmit sensitive data through unencrypted channels. Google’s own statistics would suggest that this means that 99 percent of all Android-based handsets are vulnerable to the attacks. A Google spokesman said the company’s Android team is aware of the Picasa deficiencies and is working on a fix.
Researchers Bastian Könings, Jens Nickels, and Florian Schaub warned that the weaknesses could be used against people who use their Android devices on networks under the control of an attacker:
To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” they wrote. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.
The researchers suggested that all apps using ClientLogin should immediate switch to using only encrypted https channels. The researchers also suggested Google could improve its security by shortening the length of time authTokens are valid and rejecting ClientLogin requests from insecure http connections.
This news is concerning, and affects a huge number of people, and although Google is said to be working on it, I personally find it extremely troublesome that issues this severe should be present in the first place, and would certainly place liability on Google for any possible damages resulting from the compromised data. Further, Google’s fixes would only apply to devices running the latest version of Android, and most Android devices are stuck on older versions.