Richi Jennings

Scary Android security hole in 99% of phones: PANIC!

May 18, 2011 6:04 AM EDT
Android logo (Google) By Richi Jennings. May 18, 2011.

Update: FIXED! A security hole in Android, Google's (GOOG) smartphone operating system, means that 99 percent of these phones are vulnerable to data theft. The Google account authentication token is being sent unencrypted and is easily sniffed and misused by a hacker. In IT Blogwatch, bloggers PANIC and turn off their data.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention Adam Curtis's All Watched Over by Machines of Loving Grace...

Dan Goodin reports:
The weakness stems from the improper implementation of an authentication protocol known as ClientLogin ... researchers from Germany's University of Ulm said. ... The programming interface retrieves an authentication token that is sent in cleartext. ... Attackers can exploit them to gain unauthorized access to accounts.
Google patched the security hole earlier this month with the release of Android 2.3.4 ... this means more than 99 percent of Android-based handsets are vulnerable to the attacks ... similar in difficulty ... to so-called sidejacking exploits that steal authentication cookies.   M0RE
Matthew DeCarlo hits the spot:
The hole reportedly stems from a flaw in Google's ClientLogin authentication protocol. ... Applications can send such data ... unencrypted ... making it easy for unsavory types to [use] software utilities such as Wireshark.
Because authTokens last for up to two weeks ... an attacker could collect them on a large scale ... and use them later from an entirely different location. ... The researchers are urging Google to limit the lifetime of authTokens in addition to rejecting ClientLogin-based requests from insecure connections.
The vulnerability is present in all Android versions prior to 2.3.4 ... which is only available for a handful of Android devices. ... The researchers recommend avoiding public Wi-Fi networks ... disabling automatic synchronization and ... forgetting an open network [to which] you previously connected.   M0RE
Ja, guten Morgen, Bastian Könings, Jens Nickels, und Florian Schaub:
We wanted to know if it is really possible to launch an impersonation attack against Google services. ... The short answer is: Yes ... and it is quite easy to do.
The adversary can gain full access to the ... Google user's ... calendar, contacts information, or private web albums. ... Not limited to items currently being synced but affects all items of that user. ... The authToken is not bound to any session or device ... the adversary can subsequently use the captured authToken to access any personal data. ... authTokens were valid for several days ... which enables adversaries to comfortably capture and make use of tokens at different times and locations.   M0RE
And Graham Cluley explodes:
The generated authTokens are not linked to a particular phone, so they can be easily used to impersonate [you]. Yuck! ... A real problem if you use an unencrypted WiFi hotspot. ... Using 3G may eat into your data plan, but it's far less likely that your communications are being snooped.
Unfortunately it's not always possible to easily upgrade the version of Android running on your phone ... [you're] dependent on your mobile phone manufacturer and carrier. ... .   M0RE
And Ryan Paul pontificates thuswise:
This reflects the need for better update practices among Android hardware vendors. ... A number of Google's largest ... partners have formed a working group to begin setting the guidelines. ... The participants intend to guarantee the availability of regular updates for a period of 18 months. ... They could also ... reduce the gap between when a new version of Android is released and when it is deployed.
It would ensure that security issues like [this] can be remedied in a timely manner. ... It would [also] help diminish the uncertainty about product lifespan that frustrates many Android end users.   M0RE
Shockingly, John "über-fanboi" Gruber waxes sarcastic:
I’m sure most Android handsets will be updated to version 2.3.4 or later very soon, so no worries.   M0RE
Is this a big deal, Bob Yirka, or is it just hype?
Many might not see such a breach as all that big of a deal ... [But] Google, a huge company ... staffed with some of the best in the business, clearly knew ... what it was doing when it chose to use plain text ... for transmitting it’s authTokens.
[It] demonstrates wanton disregard for the privacy of it’s user community.
Something else is rather important ... the means by which this news has come to the fore, i.e. through a grad student ... basically just fooling around with sniffing software.
What else is at risk? ... How can we know that the things we do are safe from those who might wish to steal our data ... [or] disseminate embarrassing pictures we thought were safely tucked away ... on Picasa?   M0RE
Hotfoot, JR Raphael brings breaking news:
A security flaw discovered in Google's Android operating system is now being fixed for all users. ... [It] had already been fixed in ... Android 2.3.4, but ... the majority of Android phones -- around 99 percent -- are not yet running that.
Today, Google started rolling out a server-side patch that addresses the issue. ... The update is global and automatic, requiring no software update on the user end ... and affecting all devices worldwide within the week.
[It] addresses the problem with authentication tokens for both Google Calendar and Google Contacts ... engineers are still looking into the issue with Picasa.   M0RE
And Finally...
All Watched Over by Machines of Loving Grace
[Can't wait for Adam Curtis's next opus, due Monday. If you're not in the UK, don't even think about looking for a .torrent of it.]
Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcherRichi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's also the creator and main author of Computerworld's IT Blogwatch -- for which he has won American Society of Business Publication Editors and Jesse H. Neal awards on behalf of Computerworld, plus The Long View. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: You can also read Richi's full profile and disclosure of his industry affiliations.