Android Exploit Credential Theft

Hi,

I'm using a Droid X and read the following article:

http://www.bgr.com/2011/05/17/99-of-android-handsets-vulnerable-to-account-credential-theft/

This seems like a fairly easy exploit to allow sensitive information to be stolen from out phones. Can Verizon tell us (1) what we can do to prevent this exploit and (2) when a patch/upgrade will be issued with the Google patch that prevents this exploit? Thanks.

Accepted answers

Synycalwon

According to the original article on the Register (http://www.theregister.co.uk/2011/05/16/android_impersonation_attacks/):

"The attacks can only be carried out when the devices are using unsecured networks, such as those offered at Wi-Fi hotspots."

This is why I NEVER use Wi-Fi hotspots whether it's my laptop or smartphone! I only trust my own network (hardwired or Wi-Fi). The ONLY time I could ever see using one of these "unsecured" networks would be on a laptop only for browsing things on the web that don't require credentials!

All comments

Synycalwon

According to the original article on the Register (http://www.theregister.co.uk/2011/05/16/android_impersonation_attacks/):

"The attacks can only be carried out when the devices are using unsecured networks, such as those offered at Wi-Fi hotspots."

mgerbasio

Well that sounds like a good idea, but what about when you leave wifi on for LBS? What about in a hotel where the wifi hotspot may be encrypted but someone sets up one with a duplicate name and password (as these are typically generic)? A lot of times I'm out of cell range and need to connect to a wifi hotspot (in buildings), if I move to a closer unsecured hotspot and my phone switches to another network will I know it; is there any way I can avoid this issue?

It makes me much happier that I have unlimited 3G, AT&T users that have a cap are encourged by AT&T to use wifi are probably going to have the hardest time with this issue.

I'd really like to see Google, Verizon or the manufactures give us some guidance other than, "never turn on your wifi".

Synycalwon

I'm not saying never turn on your Wi-Fi or that Google and Verizon shouldn't get a fix out. But, rather this is another reminder of the potential issues when using public networks, in particular Wi-Fi.

As an example, while I trust my own home Wi-Fi network to an extent (it's locked down as much as possible), I NEVER use it for anything of sensitive nature (ex. online banking), but instead always use my hardwired network. Ditto for my smartphone, I would NEVER use it for highly sensitive things, even over the cell carrier's data network. You just can't control where that wireless signal goes and who may be able to sniff it. At least with hardwired, someone would have to physically connect to it in order to even attempt to sniff it. It's always a trade off between security and convenience. I choose security, but that's just me (highly cynical and somewhat paranoid :smileywink: )

rel1sh

There is a bit more in-depth info on this issue here, as well as a proof of concept and technical details:

http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html

Although this relies on using open/unencrypted WiFi connections, the exploit has already been fixed in later versions of the Android OS (the vulnerabilities in Calendar and Contacts sync in 2.2 have both been fixed in 2.3.4). Does Verizon provide a schedule of planned updates to the OS?

Ann154

rel1sh wrote: "Does Verizon provide a schedule of planned updates to the OS?"

In the past year that I have followed android information, I have never heard of them doing a master list. Some individual manufacturers have said a general time frame for an update. However they usually late and miss the end of the quarter by at least a month.

If there is one, oh what a gold mine.