Google storing Android WiFi keys: A potential security nightmare

Does Google’s Android mobile operating system contain yet another gaping security hole that could easily get out of hand and cause serious woes for individual users as well as businesses? According to a new report, that may be the case.

Donovan Colbert, the owner of a new ASUS Eee PC Transformer Android-based tablet, discovered that when he connected the device for the first time, he was able to connect with Wi-Fi hotspots to which he had previously connected on his other Android devices.

ADVERTISEMENT

In an IT Security blog post on TechRepublic, Colbert writes:

“I pulled out my Virgin Mobile Mi-Fi 2200 personal hotspot and turned it on. I searched around Honeycomb looking for the control panel to select the hotspot and enter the encryption key. To my surprise, I found that the Eee Pad had already found the Virgin hotspot, and successfully attached to it. I literally questioned myself, wondering if I had simply already attached to the hotspot from the Eee Pad and forgotten about it. But that was not the case.

ADVERTISEMENT

“As I looked further into this puzzling situation, I noticed that not only was my Virgin Hotspot discovered and attached, but a list of other hotspots, including the hotspot at my campground (a 45-minute drive away) were also listed in the Eee Pad’s hotspot list. The only conclusion that one can draw from this is obvious - Google is storing not only a list of what hotspots you have visited, but any private encryption keys necessary to connect to those hotspots in the cloud.”

As some commenters to the article point out, Android does give the users the option of whether or not to backup this information, but if an experienced IT engineer like Colbert doesn’t know that his personal devices are storing this type of information on Google’s cloud, how many others are also unaware?

Also, as Colbert points out, the practice of backing up encryption keys for shared Wi-Fi hotspots is likely putting many users in violation of ToS (Terms of Service) they agreed to when connecting to them. The point being that if a hacker were to access all of this hotspot information in Google’s cloud servers, via a customer’s poorly secured account, the unintentionally disclosed information could then make businesses and organizations with secured wireless networks into easy prey.

ADVERTISEMENT

I’m sure the backup feature is built-in as a convenience to Android users with multiple devices, but in light of the rise in hacking incidents this year it may just be better to keep that data isolated on one device at a time and keep it off of Google’s cloud servers.

No posts to display