'New research from computer scientists at the University of Ulm in Germany have found that 99.7 percent of Android-powered smart phones are leaking data that, if stolen, can allow criminals into the personal data stored on Google's online services, or cloud.
The issue, say the researchers, is how the Google Android system uses software code—called authTokens—that allow users to log in to Google Calendar, Google Contacts, and other cloud-based services. According to the researchers, these tokens sometimes aren't encrypted or specific to the smart phone sending them. What's more, the tokens are valid for weeks at a time.
These three factors make it easy for a hacker to grab the data and access the personal data stored on Google's cloud. The researchers wrote on the University of Ulm's blog:
“
To collect such authTokens on a large scale an adversary could setup a Wi-Fi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately...the adversary would capture authTokens for each service that attempted syncing. Due to the long lifetime of authTokens, the adversary can comfortably capture a large number of tokens and make use of them later on from a different location.
”
The researchers suggest if you're an Android user, you should:
Update your phone to the current Android version (2.3.4) as soon as possible. Depending on your phone vendor, however, you may have to wait weeks or months before an update is available for your phone. Hopefully this will change in the future.
Switch off automatic synchronization in the settings menu when connecting with open Wi-Fi networks.
Avoid open Wi-Fi networks when using affected apps.
You'll find other security threats from cell phones in our report, Mobile phones: The new risk. And for tips on protecting your personal data on all your devices, see Consumer Reports' Guide to Online Security.' ...
No comments:
Post a Comment