If an Android device (phone or tablet) has ever logged on
to a particular Wi-Fi network, then Google probably knows the Wi-Fi password.
Considering how many Android devices there are, it is likely that Google can
access most Wi-Fi passwords worldwide.
Recently IDC reported that 187 million Android phones were
shipped in the second quarter of this year. That multiplies out to 748 million
phones in 2013, a figure that does not include Android tablets.
Many (probably most) of these Android phones and tablets
are phoning home to Google, backing up Wi-Fi passwords along with other assorted
settings. And, although they have never said so directly, it is obvious that
Google can read the passwords.
Sounds like a James Bond movie.
Android devices have defaulted to coughing up Wi-Fi
passwords since version 2.2. And, since the feature is presented as a good
thing, most people wouldn't change it. I suspect that many Android users have
never even seen the configuration option controlling this. After all, there are
dozens and dozens of system settings to configure.
And, anyone who does run across the setting can not hope to
understand the privacy implication. I certainly did not.
Specifically:
In Android 2.3.4, go to Settings, then Privacy. On an HTC
device, the option that gives Google your Wi-Fi password is "Back up my
settings". On a Samsung device, the option is called "Back up my data". The only
description is "Back up current settings and application data". No mention is
made of Wi-Fi passwords.
In Android 4.2, go to Settings, then "Backup and reset".
The option is called "Back up my data". The description says "Back up
application data, Wi-Fi passwords, and other settings to Google
servers".
Needless to say "settings" and "application data" are vague
terms. A longer explanation of this backup feature in Android 2.3.4 can be found
in the Users Guide on page 374:
Check to back up some of your personal data to Google
servers, with your Google Account. If you replace your phone, you can restore
the data you’ve backed up, the first time you sign in with your Google Account.
If you check this option, a wide variety of you personal data is backed up,
including your Wi-Fi passwords, Browser bookmarks, a list of the applications
you’ve installed, the words you’ve added to the dictionary used by the onscreen
keyboard, and most of the settings that you configure with the Settings
application. Some third-party applications may also take advantage of this
feature, so you can restore your data if you reinstall an application. If you
uncheck this option, you stop backing up your data to your account, and any
existing backups are deleted from Google servers.
A longer explanation for Android 4.0 can be found on page
97 of the Galaxy Nexus phone users Guide:
If you check this option, a wide variety of your personal
data is backed up automatically, including your Wi-Fi passwords, Browser
bookmarks, a list of the apps you've installed from the Market app, the words
you've added to the dictionary used by the onscreen keyboard, and most of your
customized settings. Some third-party apps may also take advantage of this
feature, so you can restore your data if you reinstall an app. If you uncheck
this option, your data stops getting backed up, and any existing backups are
deleted from Google servers.
Sounds great. Backing up your data/settings makes moving to
a new Android device much easier. It lets Google configure your new Android
device very much like your old one.
What is not said, is that Google can read the Wi-Fi
passwords.
And, if you are reading this and thinking about one Wi-Fi
network, be aware that Android devices remember the passwords to every Wi-Fi
network they have logged on to. The Register writes
The list of Wi-Fi networks and passwords stored on a device
is likely to extend far beyond a user's home, and include hotels, shops,
libraries, friends' houses, offices and all manner of other places. Adding this
information to the extensive maps of Wi-Fi access points built up over years by
Google and others, and suddenly fandroids face a greater risk to their privacy
if this data is scrutinised by outside agents.
The good news is that Android owners can opt out just by
turning off the checkbox.
Update: Sept 15, 2013: Even if Google deletes every copy of
your backed up data, they may already have been compelled to share it with
others. And, Google will continue to have a copy of the password until every
Android device that has ever connected to the network turns off the backing up
of settings/data.
The bad news is that, like any American company, Google can
be compelled by agencies of the U.S. government to silently spill the
beans.
When it comes to Wi-Fi, the NSA, CIA and FBI may not need
hackers and cryptographers. They may not need to exploit WPS or UPnP. If Android
devices are offering up your secrets, WPA2 encryption and a long random password
offer no protection.
I doubt that Google wants to rat out their own customers.
They may simply have no choice. What large public American company would? Just
yesterday, Marissa Mayer, the CEO of Yahoo, said executives faced jail if they
revealed government secrets. Lavabit felt there was a choice, but it was a
single person operation.
This is not to pick on Google exclusively. After all,
Dropbox can read the files you store with them. So too, can Microsoft read files
stored in SkyDrive. And, although the Washington Post reported back in April
that Apple’s iMessage encryption foils law enforcement, cryptographer Matthew
Green did a simple experiment that showed that Apple can read your
iMessages.
In fact, Green's experiment is pretty much the same one
that shows that Google can read Wi-Fi passwords. He describes
it:
First, lose your iPhone. Now change your password using
Apple's iForgot service ... Now go to an Apple store and shell out a fortune
buying a new phone. If you can recover your recent iMessages onto a new iPhone
-- as I was able to do in an Apple store this afternoon -- then Apple isn't
protecting your iMessages with your password or with a device key. Too
bad.
Similarly, a brand new Android device can connect to Wi-Fi
hotspots it is seeing for the very first time.
Back in June 2011, writing for TechRepublic, Donovan
Colbert described stumbling across this on a new ASUS Eee PC Transformer
tablet:
I purchased the machine late last night after work. I
brought it home, set it up to charge overnight, and went to bed. This morning
when I woke I put it in my bag and brought it to the office with me. I set up my
Google account on the device, and then realized I had no network connection ...
I pulled out my Virgin Mobile Mi-Fi 2200 personal hotspot and turned it on. I
searched around Honeycomb looking for the control panel to select the hotspot
and enter the encryption key. To my surprise, I found that the Eee Pad had
already found the Virgin hotspot, and successfully attached to it ... As I
looked further into this puzzling situation, I noticed that not only was my
Virgin Hotspot discovered and attached, but a list of other hotspots ... were
also listed in the Eee Pad's hotspot list. The only conclusion that one can draw
from this is obvious - Google is storing not only a list of what hotspots you
have visited, but any private encryption keys necessary to connect to those
hotspots ...
Micah Lee, staff technologist at the EFF, CTO of the
Freedom of the Press Foundation and the maintainer of HTTPS Everywhere, blogged
about the same situation back in July.
When you format an Android phone and set it up on first
run, after you login to your Google account and restore your backup, it
immediately connects to wifi using a saved password. There’s no sort of password
hash that your Android phone could send your router to authenticate besides the
password itself.
Google stores the passwords in a manner such that they can
decrypt them, given only a Gmail address and password.
Shortly after Lee's blog, Ars Technica picked up on this
(see Does NSA know your Wi-Fi password? Android backups may give it to them). A
Google spokesperson responded to the Ars article with a prepared
statement.
Our optional ‘Backup my data’ feature makes it easier to
switch to a new Android device by using your Google Account and password to
restore some of your previous settings. This helps you avoid the hassle of
setting up a new device from scratch. At any point, you can disable this
feature, which will cause data to be erased. This data is encrypted in transit,
accessible only when the user has an authenticated connection to Google and
stored at Google data centers, which have strong protections against digital and
physical attacks.
Sean Gallagher, who wrote the Ars article, added "The
spokesperson could not speak to how ... the data was secured at
rest."
Lee responded to this with:
... it’s great the backup/restore feature is optional. It’s
great that if you turn it off Google will delete your data. It’s great that the
data is encrypted in transit between the Android device and Google’s servers, so
that eavesdroppers can’t pull your backup data off the wire. And it’s great they
they have strong security, both digital and physical, at their data centers.
However, Google’s statement doesn’t mention whether or not Google itself has
access to the plaintext backup data (it does)... [The issue is] Not how easy it
is for an attacker to get at this data, but how easy it is for an authorized
Google employee to get at it as part of their job. This is important because if
Google has access to this plaintext data, they can be compelled to give it to
the US government.
Google danced around the issue of whether they can read the
passwords because they don't want people like me writing blogs like this. Maybe
this is why Apple, so often, says nothing.
Eventually Lee filed an official Android feature request,
asking Google to offer backups that are stored in such a way that only the end
user (you and I) can access the data. The request was filed about two months ago
and has been ignored by Google.
I am not revealing anything new here. All this has been out
in the public before. Below is a partial list of previous
articles.
However, this story has, on the whole, flown under the
radar. Most tech outlets didn't cover it (Ars Technica and The Register being
exceptions) for reasons that escape me.
1) Google knows where you've been and they might be holding
your encryption keys. June 21, 2011 by Donovan Colbert for TechRepublic. This is
the first article I was able to find on the subject. Colbert was not happy,
writing:
... my corporate office has a public, protected wireless
access point. The idea that every Android device that connects with that access
point shares our private corporate access key with Google is pretty unacceptable
... This isn't just a trivial concern. The fact that my company can easily lose
control of their own proprietary WPA2 encryption keys just by allowing a user
with an Android device to use our wireless network is significant. It
illustrates a basic lack of understanding on the ethics of dealing with
sensitive corporate and personal data on the behalf of the engineers,
programmers and leadership at Google. Honestly, if there is any data that
shouldn't be harvested, stored and synched automatically between devices, it is
encryption keys, passcodes and passwords.
2) Storage of credentials on the company servers Google by
Android smartphones (translated from German). July 8, 2013. The University of
Passau in Germany tells the university community to turn off Android backups
because disclosing passwords to third parties is prohibited. They warn that
submitting your password to any third party lets unauthorised people access
University services under your identity. They also advise changing all passwords
stored on Android devices.
3) Use Android? You’re Probably Giving Google All Your
Wifi Passwords July 11, 2013 by Micah Lee. Where I first ran into this
story.
4) Android and its password problems open doors for spies
July 16, 2013 by The H Security in Germany. Excerpt:
Tests ... at heise Security showed that after resetting an
Android phone to factory settings and then synchronising with a Google account,
the device was immediately able to connect to a heise test network secured using
WPA2. Anyone with access to a Google account therefore has access to its Wi-Fi
passwords. Given that Google maintains a database of Wi-Fi networks throughout
the world for positioning purposes, this is a cause for concern in itself, as
the backup means that it also has the passwords for these networks. In view of
Google's generosity in sharing data with the NSA, this now looks even more
troubling ... European companies are unlikely to be keen on the idea of this
backup service, activated by default, allowing US secret services to access
their networks with little effort.
5) Does NSA know your Wi-Fi password? Android backups may
give it to them July 17, 2013 by Sean Gallagher for Ars Technica. This is the
article referred to earlier. After this one story, Ars dropped the issue, which
I find strange since they must have realized the implications.
6) Android backup sends unencrypted Wi-Fi passwords to
Google July 18, 2013 by Zeljka Zorz for net-security.org
7) Would you tell Google your Wi-Fi password? You probably
already did... July 18, 2013 by Paul Ducklin writing for the Sophos Naked
Security blog. Ducklin writes
... the data is encrypted in transit, and Google (for all
we know) probably stores it encrypted at the other end. But it's not encrypted
in the sense of being inaccessible to anyone except you ... Google can
unilaterally recover the plaintext of your Wi-Fi passwords, precisely so it can
return those passwords to you quickly and conveniently ...
8) Android Backups Could Expose Wi-Fi Passwords to NSA July
19, 2013 by Ben Weitzenkorn of TechNewsDaily. This same story also appeared
atnbcnews.com and mashable.com.
9) Despite Google’s statement, they still have access to
your wifi passwords July 19, 2013 by Micah Lee on his personal blog. Lee rebuts
the Google spokesperson response to the Ars Technica article.
10) Oi, Google, you ate all our Wi-Fi keys - don't let the
spooks gobble them too July 23, 2013 by John Leyden for The Register. Leyden
writes: "Privacy experts have urged Google to allow Android users' to encrypt
their backups in the wake of the NSA PRISM surveillance flap."
11) Google: Keep Android Users' Secure Network Passwords
Secure August 5, 2013 by Micah Lee and David Grant of the EFF. They
write
Fixing the flaw is more complicated than it might seem.
Android is an open source operating system developed by Google. Android Backup
Service is a proprietary service offered by Google, which runs on Android.
Anyone can write new code for Android, but only Google can change the Android
Backup Service.
To conclude on a Defensive Computing note, those that need
Wi-Fi at home should consider using a router offering a guest
network.
Make sure that Android devices accessing the private
network are not backing up settings to Google. This is not realistic for the
guest network, but you can enable the guest network only when needed and then
shut it down afterwards. Also, you can periodically change the password of the
guest network without impacting your personal wireless devices.
At this point, everybody should probably change their Wi-Fi
password.