Researchers show Android devices susceptible to eavesdropping

May 18, 2011 by Bob Yirka report
Android

(PhysOrg.com) -- Following up on research done by Dan Wallach of Princeton University, that suggested Android devices were susceptible to an eavesdropping risk on open WiFi networks, German researchers Bastian Könings, Jens Nickels, and Florian Schaub have shown that by using commercially available software (Wireshark) they were able to listen in on an open WiFi network and gain sufficient information to impersonate a legitimate user. Posting their results on the University of Ulm website, they describe how they were able to obtain access to Google calendar and contact data as well as Picasa images via the capture of authentication tokens.

In a February 22nd University Center for Information Technology Policy, blog post, Wallach, remarked on how as part of a security class he was taking, he discovered that by sniffing data traffic coming to and from his Android smartphone using both Wireshark and Mallory, he was able to easily see Google calendar transactions and how easy it would be for someone to grab some of that information to impersonate him on Google applications.

The German research team, after seeing what Wallach had found, decided to look a little deeper; they found that because phones use tokens, called authTokens, that allow legitimate users to remain logged into certain Google applications for up to two weeks, that are unencrypted; nefarious characters listening in could capture those tokens and then use them for their own illegitimate purposes, such as scraping calendar information, contact email addresses or to view private images in Picasa.

In some respects, many might not see such a breach as all that big of a deal; it’s not like Google is passing around bank account codes willy-nilly, but, that’s beside the point. What’s important is that , a huge company with vast resources and staffed with some of the best in the business, clearly knew and understood what it was doing when it chose to use plain text messaging as the means for transmitting it’s authTokens; a move that demonstrates wanton disregard for the privacy of it’s user community; something that the company is already in hot water over due to the recent discovery that it has been tracking users movements via GPS.

And while this issue will eventually go away as users upgrade the software on their phones, something else is rather important here, and that is the means by which this news has come to the fore, i.e. through a grad student taking an undergraduate course, basically just fooling around with sniffing software. This quite naturally begs the question of, what else is at risk? If there is no organization or agency testing the products that are sold by huge companies to users, how can we know that the things we do are safe from those who might wish to steal our data, impersonate us, or worse use the things they find against us, such as disseminating embarrassing pictures we thought were safely tucked away under password protection on ?

Explore further: Google Announces the Google Pack

Related Stories

Google Announces the Google Pack

January 8, 2006

Google announced the Google Pack beta, a free collection of useful software from Google and other companies that improves the user experience online and on the desktop. In just a few clicks, users can install and maintain ...

Google account users get extra security

February 11, 2011

(PhysOrg.com) -- Google announced on Thursday that they are giving their Gmail users additional account security, free of charge. As of Thursday Google account users can turn on a "two-step authentication" feature that will ...

Q-and-A: Smartphone location tracking

April 24, 2011

The revelation this past week that Apple Inc.'s popular iPhone and iPad devices keep files of users' location data raises legal and ethical questions.

Recommended for you

Auto, aerospace industries warm to 3D printing

August 25, 2016

New 3D printing technology unveiled this week sharply increases the size of objects that can be produced, offering new possibilities to remake manufacturing in the auto, aerospace and other major industries.

12 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

Modernmystic
3 / 5 (2) May 18, 2011
Let's just say if you don't trust someone completely, don't leave your droid around them unattended....
migbasher
5 / 5 (2) May 18, 2011
This article states the obvious.
FACT: Any device on an open or any WEP and WPA with a weak password can be sniffed due to arp poisoning attacks, even SSL can be sniffed easily.
migbasher
May 18, 2011
This comment has been removed by a moderator.
Kedas
2 / 5 (1) May 18, 2011
No body seems to care but the whole idea is to make all your private info available so it can be taken and sold and used against you.
All those face-book people think that they are not paying for it.
jjoensuu
not rated yet May 18, 2011
Writing something bad about Google or Apple is like writing about how the universe came into existence (or some other evolution vs creation subject);-P

Anyways, to the statement:
"how can we know that the things we do are safe from those who might wish to steal our data, impersonate us, or worse use the things they find against us, such as disseminating embarrassing pictures we thought were safely tucked away under password protection on Picasa?"

Well those embarrassing pictures are not safe, simple as that. The reason is, at least the DB administrators at Google (and all other companies) will need full access to the DB.
migbasher
not rated yet May 18, 2011
Would like to add, the best thing you can do to keep your wireless network safe is use a WPA/WPA2 variant with a strong password(upper/lowercase and numbers).
LuckyBrandon
1 / 5 (1) May 18, 2011
@migbasher-WPA and WEP are easily broken, yes, but you state "due to" and list an attack type...if the authentication mechanism is broken, it is vulnerable to ANY attack type (most popular of which will be denial of service).
i also wouldnt refer to SSL encrypted traffic as easily sniffed...can you sniff the packets on the line, sure, but breaking the encryption and reading the packet content is entirely different than seeing the conversation took place at all.
migbasher
not rated yet May 18, 2011
@Luckybrandon, how fast can you break wpa? While its true, you can capture the wpa handshake, it will take you years, even using rainbow tables, if the password is strong. a good password is key. Therefore wpa is fine as long as you have a good strong password, wep as I said before is pretty much broken and should rarely be used. SSL can be stripped with ease and worked around, I'm certain you can find a YouTube of someone doing this. I personally use SSLstrip when I audit to accomplish this.
LuckyBrandon
1 / 5 (1) May 19, 2011
@Luckybrandon, how fast can you break wpa? While its true, you can capture the wpa handshake, it will take you years, even using rainbow tables, if the password is strong. a good password is key. Therefore wpa is fine as long as you have a good strong password, wep as I said before is pretty much broken and should rarely be used. SSL can be stripped with ease and worked around, I'm certain you can find a YouTube of someone doing this. I personally use SSLstrip when I audit to accomplish this.


sorry I meant to just put WEP up there and not WPA my apologies for the confusion :)

My employer gives me a bunch of handy tools to strip down SSL, but thats just it, they aren't externally available (not saying none exist of course)
migbasher
5 / 5 (1) May 20, 2011
@LuckyBrandon.

remote-exploit.org or google "backtrack" you should give this Linux distro a look, its a pentesters dream. Made my job 100x faster, has almost everything you need. Certain it will do the same for you.
LuckyBrandon
1 / 5 (1) May 27, 2011
@LuckyBrandon.

remote-exploit.org or google "backtrack" you should give this Linux distro a look, its a pentesters dream. Made my job 100x faster, has almost everything you need. Certain it will do the same for you.


cool thanks mig :)
mb200
not rated yet Jul 03, 2011
i was at the the verizon store looking at a new smartphone (Android) and the sales rep indicated that the phone stores both the contacts and calendar data into the (internet) cloud (e.g. on some Google site). Given that you need to "sign" the google gmail agreement to use the phone and that this agreement states that all information on the google server they have access to and may use without further consent from the user (e.g. me); does this not pose a security risk and the possibility that google will use data from the phone or distribute it to their advertisers? I dont want google or ANYONE else to see, use, or have any access to my contacts or calendar information, as well as any other data received, transmitted, or stored into my phone (e.g. call log data).

also, what prevents an app (e.g. PC tethering) from collecting data and sending it to a secondary internet address (not one that I intend to be connected to)?

what are the protections from viruses and spyware?

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.