LinuxDevices.com Archive Index (1999-2012) | 2013-current at LinuxGizmos.com | About  

Google aims to fix Wi-Fi vulnerability threatening Android devices

May 18, 2011 — by LinuxDevices Staff — from the LinuxDevices Archive — views

[Updated: 11:50 a.m.] — Google is scrambling to fix a flaw in the way applications authenticate with Android's Google services. This latest Android security mishap, which could have enabled Wi-Fi “man-in-the-middle” attacks on 99.7 percent of Android devices, follows a recent Juniper Networks report claiming that malware has surged 400 percent since last summer.

Most devices running Google's Android operating system are vulnerable to a man-in-the-middle attack that would allow adversaries to access victims' personal data stored in Google services, warned a group of university researchers on May 13. Malicious individuals can intercept authentication tokens from Android users running applications over an unsecured Wi-Fi network, said researchers from Germany's University of Ulm.

Today, PCMag filed a report saying Google was working to fix the problem. "We're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," a Google spokesperson reportedly told the publication. "This fix requires no action from users and will roll out globally over the next few days."

According to the story, the "silent fix" will target all phones, regardless of the Android release, although Google would not offer further details.

Applications that access Google services, such as Calendar and Contacts, use ClientLogin authentication protocol requests and receive an authentication token to gain access to user data. Google designed the tokens so the same instance can be reused to access that service for two weeks. However, if the token is requested and sent while the user was on an unencrypted insecure connection, anyone eavesdropping could find and steal the token — then use it for the 14-day period to access user contacts, calendar items, email and other personal information.

The tokens aren't bound to a session or a device, making it very easy for the attacker to impersonate the user with a different handset, according to University of Ulm researchers Bastian Konings, Jens Nickels, and Florian Schaub.

"We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis," the researchers in the university's Institute of Media Informatics wrote. "The short answer is: Yes, it is possible and it is quite easy to do so."

Flaw fixed in Android 2.3.4

The problem exists in Android 2.3.3 and earlier, which includes 99.7 percent of current Android devices, according to Google's platform statistics. The hole has been addressed in 2.3.4, and all the applications now use the secure HTTPS connection to access Google services, according to the researchers. Now, Google is apparently back-porting this code to phones running other releases via its silent fix.

The ClientLogin authentication protocol vulnerability is an example of attackers exploiting Wi-Fi networks and spying on enterprise and personal data, Dan Hoffman, chief mobile evangelist at Juniper Networks Global Threat Center, told eWEEK. The "ease of this exploitation" makes this a serious vulnerability for anyone with sensitive data stored in Google services, Hoffman said.

According to the University of Ulm researchers, "an adversary can gain full access to the calendar, contacts information or private web albums of the respective Google user."  The adversary can view, modify, or delete any contacts, calendar events or private pictures as if the legitimate user had properly logged in.

The person would be able to obtain and manipulate all items owned by the user "clandestinely" over an extended period of time, according to Juniper's Hoffman. A malicious hacker could harvest a large number of tokens by merely setting up a Wi-Fi access point and pretending to be an unencrypted wireless network. Any Android device within range could connect, giving the hacker access to the service tokens.

Enterprises should make sure employees are using VPN software to access the corporate data or email over open Wi-Fi networks, said Hoffman. Wireless settings should be properly configured, and application developers should make sure they are using proper security protocols to protect data, he added.

Researchers tested applications that contact Google services on various versions of Android and found the problem existed in all versions before 2.3.3. On Android 2.3.4 and later, only the Gallery application, which synchronizes Picasa with online web albums, remained vulnerable (since it uses regular HTTP for synchronization). Any Android or desktop application that accesses Google services using the ClientLogin protocol over HTTP is vulnerable, the researchers found.

The researchers suggested Google shorten the length of time the tokens are valid, and automatically reject ClientLogin requests from insecure HTTP connections. As a general rule of thumb, users should disable the setting that allows the Android device to automatically synchronize with open Wi-Fi networks until they need to do so.

Even though the chances of a regular user coming under this kind of attack "is not high," users should be "paranoid" and avoid open Wi-Fi networks, according to Paul Laudanski, director of the Cyber Threat Analysis Center at ESET. "Be mindful of where you are and what your systems connect into," Laudanski said.

Juniper: Android malware increased by 400 percent

The Wi-Fi vulnerability news follows a Juniper Networks report posted on May 11 claiming that cyber-attackers are increasingly gunning for Android as they take advantage of a user base that is "unaware, disinterested or uneducated" in mobile security. Android malware has surged 400 percent since summer 2010, according to the "Malicious Mobile Threats Report 2010/2011."

The increase in Android malware is a result of users not being concerned about security, as well as the large number of downloads from unknown sources, and the lack of mobile security software, according to the Juniper Networks Global Threat Center, which compiled the report.

About 17 percent of all reported infections were due to SMS Trojans sending text messages to premium rate numbers, the report found. Spyware capable of monitoring phone calls and text messages from the device accounted for 61 percent of reported infections. All reported infections on Android devices were of this kind of spyware.

For the past five years, most mobile malware targeted Symbian and Microsoft Windows Mobile platforms, Juniper said. In fact, over 70 percent of malware definitions in Juniper's Junos mobile security service are of Symbian malware.

The current trend shows that malware developers are increasingly targeting Android, In addition, the attacks are likely to get more advanced, such as turning mobile devices into a zombie in a botnet, said Juniper. The Juniper report cited a 2010 SANS Institute study that found only 15 percent of smartphone users were employing antivirus on their phones.

Somewhat prophetically, since the report came out about a week before the Univeristy of Ulm report, Juniper also warned that the increase in Wi-Fi enabled devices could result in more man-in-the-middle attacks, especially as people continue to trust public Wi-Fi hotspots.

Mobile malware still accounts for less than one percent of all malware detected globally, however, says Juniper. A more detailed version of the Juniper story may be found at eWEEK.

Fahmida Y. Rashid is a writer for eWEEK.


This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.



Comments are closed.