Potentially major Android WiFi security loophole revealed

According to Donovan Colbert, when he connected his new Android tablet for the first time and logged in using his previous Android account credentials, he was immediately able to connect to secure WiFi access points without having to enter any passphrases.

Colbert says that, when he used a MiFi unit with a tablet, whilst he was searching around the Android 3.x interface to enter the MiFi's passphrase, he found the Asus tablet had already logged into the MiFi hotspot.

"I literally questioned myself, wondering if I had simply already attached to the hotspot from the Eee Pad and forgotten about it. But that was not the case", he says in his latest security blog.

"As I looked further into this puzzling situation, I noticed that not only was my Virgin Hotspot discovered and attached, but a list of other hotspots, including the hotspot at my campground (a 45-minute drive away) were also listed in the Eee Pad's hotspot list", he adds.

Colbert went on to say that the only conclusion that you can draw from this is obvious: Google is storing not only a list of what hotspots you have visited, but any private encryption keys necessary to connect to those hotspots in the cloud.

"As far as I can tell, there is no clear and easy way for Android end-users to 'opt out' of sending their access points to Google for storage on the cloud and synchronisation to other Android devices the user may own", he noted.

"If this is the case, Google gives the Android device user two choices: do not access public encrypted wireless access points or violate their terms of service by sharing those access keys with Google", he says.

"The obvious response that I would expect third party public encrypted hotspot owners to adopt is to specifically prohibit subscribers from accessing those APs via Android devices", he adds.

As Colbert says in his blog: "My corporate office has a public, protected wireless access point. The idea that every Android device that connects with that access point shares our private corporate access key with Google is pretty unacceptable."

The only solution that the security researcher says he can come up with to the problem is to bar all Android users from accessing the company WiFi system using their Droid-driven devices.

"What do you think? Is this an innocent, excusable mistake? Is Google a company that only has the best interests of the consumers at heart? Are we making too much out of this, or has Google crossed the boundaries of reasonable behaviour?" he asked.

What’s hot on Infosecurity Magazine?