Researchers show Android devices susceptible to eavesdropping

May 18, 2011 by Bob Yirka report

Android

(PhysOrg.com) -- Following up on research done by Dan Wallach of Princeton University, that suggested Android devices were susceptible to an eavesdropping risk on open WiFi networks, German researchers Bastian Könings, Jens Nickels, and Florian Schaub have shown that by using commercially available software (Wireshark) they were able to listen in on an open WiFi network and gain sufficient information to impersonate a legitimate user. Posting their results on the University of Ulm website, they describe how they were able to obtain access to Google calendar and contact data as well as Picasa images via the capture of authentication tokens.

In a February 22nd University Center for Information Technology Policy, blog post, Wallach, remarked on how as part of a security class he was taking, he discovered that by sniffing data traffic coming to and from his Android smartphone using both Wireshark and Mallory, he was able to easily see Google calendar transactions and how easy it would be for someone to grab some of that information to impersonate him on Google applications.

The German research team, after seeing what Wallach had found, decided to look a little deeper; they found that because phones use tokens, called authTokens, that allow legitimate users to remain logged into certain Google applications for up to two weeks, that are unencrypted; nefarious characters listening in could capture those tokens and then use them for their own illegitimate purposes, such as scraping calendar information, contact email addresses or to view private images in Picasa.

In some respects, many might not see such a breach as all that big of a deal; it’s not like Google is passing around bank account codes willy-nilly, but, that’s beside the point. What’s important is that , a huge company with vast resources and staffed with some of the best in the business, clearly knew and understood what it was doing when it chose to use plain text messaging as the means for transmitting it’s authTokens; a move that demonstrates wanton disregard for the privacy of it’s user community; something that the company is already in hot water over due to the recent discovery that it has been tracking users movements via GPS.

Researchers show Android devices susceptible to eavesdropping
Enlarge


And while this issue will eventually go away as users upgrade the software on their phones, something else is rather important here, and that is the means by which this news has come to the fore, i.e. through a grad student taking an undergraduate course, basically just fooling around with sniffing software. This quite naturally begs the question of, what else is at risk? If there is no organization or agency testing the products that are sold by huge companies to users, how can we know that the things we do are safe from those who might wish to steal our data, impersonate us, or worse use the things they find against us, such as disseminating embarrassing pictures we thought were safely tucked away under password protection on ?

© 2010 PhysOrg.com

Filter


Move the slider to adjust rank threshold, so that you can hide some of the comments.


Display comments: newest first

Modernmystic
May 18, 2011

Rank: 5 / 5 (1)
Let's just say if you don't trust someone completely, don't leave your droid around them unattended....
migbasher
May 18, 2011

Rank: 5 / 5 (2)
This article states the obvious.
FACT: Any device on an open or any WEP and WPA with a weak password can be sniffed due to arp poisoning attacks, even SSL can be sniffed easily.
Kedas
May 18, 2011

Rank: 2 / 5 (1)
No body seems to care but the whole idea is to make all your private info available so it can be taken and sold and used against you.
All those face-book people think that they are not paying for it.
jjoensuu
May 18, 2011

Rank: not rated yet
Writing something bad about Google or Apple is like writing about how the universe came into existence (or some other evolution vs creation subject);-P

Anyways, to the statement:
"how can we know that the things we do are safe from those who might wish to steal our data, impersonate us, or worse use the things they find against us, such as disseminating embarrassing pictures we thought were safely tucked away under password protection on Picasa?"

Well those embarrassing pictures are not safe, simple as that. The reason is, at least the DB administrators at Google (and all other companies) will need full access to the DB.
migbasher
May 18, 2011

Rank: not rated yet
Would like to add, the best thing you can do to keep your wireless network safe is use a WPA/WPA2 variant with a strong password(upper/lowercase and numbers).
LuckyBrandon
May 18, 2011

Rank: not rated yet
@migbasher-WPA and WEP are easily broken, yes, but you state "due to" and list an attack type...if the authentication mechanism is broken, it is vulnerable to ANY attack type (most popular of which will be denial of service).
i also wouldnt refer to SSL encrypted traffic as easily sniffed...can you sniff the packets on the line, sure, but breaking the encryption and reading the packet content is entirely different than seeing the conversation took place at all.
migbasher
May 18, 2011

Rank: not rated yet
@Luckybrandon, how fast can you break wpa? While its true, you can capture the wpa handshake, it will take you years, even using rainbow tables, if the password is strong. a good password is key. Therefore wpa is fine as long as you have a good strong password, wep as I said before is pretty much broken and should rarely be used. SSL can be stripped with ease and worked around, I'm certain you can find a YouTube of someone doing this. I personally use SSLstrip when I audit to accomplish this.
LuckyBrandon
May 19, 2011

Rank: not rated yet
@Luckybrandon, how fast can you break wpa? While its true, you can capture the wpa handshake, it will take you years, even using rainbow tables, if the password is strong. a good password is key. Therefore wpa is fine as long as you have a good strong password, wep as I said before is pretty much broken and should rarely be used. SSL can be stripped with ease and worked around, I'm certain you can find a YouTube of someone doing this. I personally use SSLstrip when I audit to accomplish this.


sorry I meant to just put WEP up there and not WPA my apologies for the confusion :)

My employer gives me a bunch of handy tools to strip down SSL, but thats just it, they aren't externally available (not saying none exist of course)
migbasher
May 20, 2011

Rank: 5 / 5 (1)
@LuckyBrandon.

remote-exploit.org or google "backtrack" you should give this Linux distro a look, its a pentesters dream. Made my job 100x faster, has almost everything you need. Certain it will do the same for you.
LuckyBrandon
May 27, 2011

Rank: not rated yet
@LuckyBrandon.

remote-exploit.org or google "backtrack" you should give this Linux distro a look, its a pentesters dream. Made my job 100x faster, has almost everything you need. Certain it will do the same for you.


cool thanks mig :)
mb200
Jul 03, 2011

Rank: not rated yet
i was at the the verizon store looking at a new smartphone (Android) and the sales rep indicated that the phone stores both the contacts and calendar data into the (internet) cloud (e.g. on some Google site). Given that you need to "sign" the google gmail agreement to use the phone and that this agreement states that all information on the google server they have access to and may use without further consent from the user (e.g. me); does this not pose a security risk and the possibility that google will use data from the phone or distribute it to their advertisers? I dont want google or ANYONE else to see, use, or have any access to my contacts or calendar information, as well as any other data received, transmitted, or stored into my phone (e.g. call log data).

also, what prevents an app (e.g. PC tethering) from collecting data and sending it to a secondary internet address (not one that I intend to be connected to)?

what are the protections from viruses and spyware?
Rank not rated yet
more news
Related Stories
created May 02, 2011 comments 0

Google adds voice and video to Google Talk on Android smartphones

created Feb 11, 2011 comments 0

Google account users get extra security

created Jun 25, 2010 comments 0

Google deletes two Android applications remotely

created Jan 08, 2006 comments 0

Google Announces the Google Pack

Tags

android, eavesdropping, picasa, google
Relevant PhysicsForums posts

More news stories

SpotterRF debuts Radar Backpack Kit (w/ Video)

(Phys.org) -- SpotterRF has announced a special radar backpack kit designed to enhance situational awareness for soldiers on the ground. The company says its special radar is designed for warfighters as part ...

Technology / Hi Tech & Innovation

created 20 hours ago | popularity 5 / 5 (5) | comments 12 | with audio podcast report

Probability of contamination from severe nuclear reactor accidents is higher than expected: study

Catastrophic nuclear accidents such as the core meltdowns in Chernobyl and Fukushima are more likely to happen than previously assumed. Based on the operating hours of all civil nuclear reactors and the number ...

Technology / Energy & Green Tech

created May 22, 2012 | popularity 3.6 / 5 (21) | comments 56 | with audio podcast

Delphi gasoline-injection engine technique rivals hybrid's edge

(Phys.org) -- Running a diesel like engine on gasoline is something Delphi is doing in notable fashion. They claim they are on to a promising way to enjoy an engine that gives the vehicle owner high efficiency ...

Technology / Energy & Green Tech

created May 21, 2012 | popularity 4.7 / 5 (18) | comments 38 | with audio podcast report

HyperSolar shows dirty water no barrier to power world

(Phys.org) -- The Santa Barbara, California, company, HyperSolar, is set to transparently share the ups and downs of its research experiences toward the company’s ultimate vision, successfully producing ...

Technology / Energy & Green Tech

created May 24, 2012 | popularity 4.8 / 5 (15) | comments 17 | with audio podcast report

Tesla to launch electric sedan in US on June 22

Tesla Motors said Tuesday it would begin deliveries of "the world's first premium electric sedan" on June 22, slightly ahead of schedule.

Technology / Energy & Green Tech

created May 22, 2012 | popularity 4.5 / 5 (11) | comments 18


Scientist: Evolution debate will soon be history

(AP) -- Richard Leakey predicts skepticism over evolution will soon be history. Not that the avowed atheist has any doubts himself.

Dell tablet leak: 10.1-inch display, two-battery choice

(Phys.org) -- Headline after headline talks about vendors’ tablets in the wings as likely number-one contenders for the iPad. Such claims have justifiably been taken with a grain of salt, considering ...

SpaceX capsule has 'new car' smell, astronauts say (Update)

SpaceX's Dragon cargo vessel smells like a new car, said astronauts at the International Space Station after opening the hatches Saturday following the spacecraft's landmark mission to the orbiting lab.

Thousands of shellfish found dead in Peru

Thousands of crustaceans were found dead off the coast of Lima following the mystery mass death of dolphins and pelicans, the Peruvian Navy said Friday.

Astronomers seize last chance in lifetime for Venus Transit

Astronomers are gearing for one the rarest events in the Solar System: an alignment of Earth, Venus and the Sun that will not be seen for another 105 years.

Australia hails surprise super-telescope decision

Australia has hailed a surprise decision giving it a role in a radio telescope project aimed at revolutionising astronomy, vowing to draw on its decades of experience in space science.