Use Android? You’re Probably Giving Google All Your Wifi Passwords

Go to your home screen, press the Menu button, select “Settings”, under “Personal” select “Backup and reset”. Is the “Back up my data” checkbox checked? If so, all of the wifi passwords that your phone remembers are being synced to your Google account.

Backup and restore settings

And the passwords are in plaintext, too. When you format an Android phone and set it up on first run, after you login to your Google account and restore your backup, it immediately connects to wifi using a saved password. There’s no sort of password hash that your Android phone could send your router to authenticate besides the password itself.

Oh, and Google is part of NSA’s Prism program. If an NSA analyst, or likely someone from CIA or even FBI (Prism is a “team sport”), asks Google for information about you, your house’s and office’s wifi passwords are likely included in that data. Without a warrant.

With your home wifi password, an attacker can sniff wifi traffic outside your house (without connecting to your network) and then decrypt it all, passively eavesdropping on your private network. If the attacker wants to do more active attacks, they can connect to your wifi network and mount a man-in-the-middle attack to eavesdrop on and modify any unencrypted Internet traffic. If you download a file, they can serve you a malicious version instead. An attacker can scan for computers, phones, and tablets that are connected to your network, scan for open ports, and exploit vulnerable services. If you have a computer connected to your network that you haven’t done software updates on for a couple weeks, or that you’ve never configured a firewall on, or that you’ve installed random servers on and have never touched them since, there’s a good chance the attacker could take over those computers.

Anyway, maybe you should uncheck that box. Google says that they’ll delete this data when you stop backing it up with them.

Delete settings from Google's server

Although it wouldn’t hurt to change your wifi password anyway.

Update: I have filed a feature request in Android’s bug tracker to offer encrypted backups, similar to the password sync options offered by Chrome and Firefox.

Update 2: The Android bug tracker isn’t the correct place to ask Google to fix this bug. The backup/restore feature is part of the proprietary Google apps for Android, not the open source Android project. This thread on the Google product forums is the correct place.

28 thoughts on “Use Android? You’re Probably Giving Google All Your Wifi Passwords

  1. squiddle

    This feature of storing passwords in the cloud is available on other platforms/devices/services, too. It is not android only, the biggest contender in the mobile space, iOS, backs up your passwords, too. As with all (intransparent) systems it comes down to trust.

    Reply
    1. freediverx

      @squiddle “This feature of storing passwords in the cloud is available on other platforms/devices/services, too. It is not android only, the biggest contender in the mobile space, iOS, backs up your passwords, too. As with all (intransparent) systems it comes down to trust.”

      iOS encrypts all your data, unlike Android. Also Apple has dramatically different attitudes towards its users’ privacy compared to Google and Samsung.

      http://www.apple.com/apples-commitment-to-customer-privacy/

      http://appleinsider.com/articles/13/07/05/samsungs-free-jay-z-album-delivered-via-android-spyware-app

      Google’s Eric Schmidt:
      “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

      Reply
      1. micah Post author

        iOS encrypts your data locally on your iOS device before sending it over the internet to Apple’s servers to backup? Do you know what encryption key is used and where it’s stored?

        Companies advertise that they encrypt data, and they often do encrypt this data, however they also keep the encryption keys themselves. Dropbox is a good example – all your files are encrypted, however Dropbox can decrypt them themselves in response to law enforcement requests.

        If iOS doesn’t force users to memorize an encryption passphrase (the key would be derived from the passphrase), or if it’s impossible to restore an iCloud backup from a brand new iPhone (the key is stored on the drive of the old phone), then their “encryption” doesn’t mean much when it comes to Apple keeping your data private from themselves.

        Reply
        1. Hescominsoon

          I use spideroak…the data is encrypted before it leaves the machine and YOU keep the keys..they do not…they have zero knowledge and zero ability to get at your data.

          Reply
        2. Bill

          Micah: I can answer your question about iOS, and this information can also be found in the iOS security whitepaper as well as other 3rd party sources. Although most data in an iCloud backup is encrypted with a keybag stored in an Apple server, the keychain is different. It is encrypted with a hardware key that never leaves the device, and Apple does not know. For this reason, if you do an iCloud restore on a new device, you will get all the data back except for the passwords/private keys. If you do an iCloud restore on the exact same device, you get it all back.

          In other words, this issue does not affect iOS devices with iCloud backup enabled.

          Reply
  2. Robot

    I really don’t think the weak link is your wifi password. That would require the NSA being parked outside your house to listen in. Why do that when they can just tap your internet packets at your ISP? You should assume any internet traffic is sniffed en-route; that’s what SSL is for…

    Reply
    1. Blue skies

      That’s not a problem, plant something outside your place to capture and relay in real time not impossible. The advantage coming from LAN rather then WAN side is there is a lot less protections. They can intercept before it goes past your network (somes intercept before it exits via VPN) which means they don’t need to compromise a VPN server to access your data. Finally they can more of a accurate idea who’s computer and who is using it at that time.

      Reply
    1. micah Post author

      It’s not earth shattering, I just think that most people are unaware that they’re giving this data to Google.

      A better way to back up passwords would be to encrypt them with a passphrase on the phone first, similar to how Firefox sync works. This way you can still have all your data backed up by Google, but Google wouldn’t have access to any of it. You would need your passphrase to restore a backup.

      Reply
      1. rigelt

        It’s less about private wifi, but more about corporate wifi. In some companies the corporate wifi offers access to file shares and many many other “internal” services… (think of a data center with an internal web interface to control switchable PDUs, often the implemented security features are very weak)

        Reply
    1. micah Post author

      @flamsmark’s comment #14 on the bug report explains it well: https://code.google.com/p/android/issues/detail?id=57560#c14

      There seems to be some disagreement about whether this data is encrypted. I think that this confusion is because — while we’re all using the same word — we’re thinking of different designs.

      When Micah says “encrypted”, he means that “Google can’t get at the plaintext”. If we apply the mud puddle test (http://blog.cryptographyengineering.com/2012/04/icloud-who-holds-key.html), we should conclude that Google *can* access the plaintext, because you can destroy a backed-up phone, change your Google account password or log in with an application-specific password, then get your data back.

      It appears that commenters 7, 8, 11, 12, & 13, are referring to to the prudent use of encryption in other places, such as ensuring that when this data is sent to Google, that is done over an encrypted link, or that Google or your phone store this data in an encrypted format (while also having access to the key needed to decrypt the data).

      It is thoroughly prudent to encrypt data in transit, at rest and so on. That’s sensible security practice, and we would expect nothing less. What Micah is asking for is specifically the ability to encrypt the data with a key which is not accessible to Google, so that no matter who tried to force Google to give up this data, they would be unable to. Google simply would not be able to access this data.

      Reply
      1. crazy_crank

        For me, that is still no proof that Google doesn’t store this information encrypted, in the sense they can’t decrypt it themself.
        If you change your password, you have to enter your old password and your new password, so google has the ability to de- and reencrypt all your data during this process (Of course, in that moment it has to be decrypted and could be read by google, but that’s not the point here). So restoring your backup after changing the password should really not be a problem and an indicator to unecrypted backups
        The only proof for me would be, if you use of the “password recovery” method, where you don’t enter your previous passphrase.
        Have you (or anybody else) tried this and checked if his backup or at least his WLAN password still works? Don’t get me wrong, but otherwise your arguments are a bit scanty.
        Looking forward for your reply

        Reply
    1. micah Post author

      I think they gave the same response (in English) to Ars Technica: http://arstechnica.com/security/2013/07/does-nsa-know-your-wifi-password-android-backups-may-give-it-to-them/

      “Our optional ‘Backup my data’ feature makes it easier to switch to a new Android device by using your Google Account and password to restore some of your previous settings. This helps you avoid the hassle of setting up a new device from scratch. At any point, you can disable this feature, which will cause data to be erased. This data is encrypted in transit, accessible only when the user has an authenticated connection to Google and stored at Google data centers, which have strong protections against digital and physical attacks.”

      Reply
  3. http://Appspecialist.nl

    Interesting blog! Is your theme custom made or did you download it from somewhere?
    A design like yours with a few simple adjustements would really make my blog
    jump out. Please let me know where you got your theme. With thanks

    Reply
  4. No Name

    Thank you Micah. I didn’t realize this setting was checked by default. While it appears to have a legitimate purpose based on Google’s statement, nevertheless, I change devices only every so often. Barring the failure of the device, it will be simple enough to turn this back on just prior to upgrading to a new phone. No need to have it turned on continuously until then. And in the event the phone dies unexpectedly (likely unlikely – I tried everything short of taking a sledgehammer to my previous phone and nothing would kill it), there is absolutely no data on my phone and no app that I would miss. I do not rely on my phone as a system of record for anything and I can’t think of a reason that anyone would. My advice is no one should – for all the reasons pointed out above.

    Reply
  5. dante

    I’ve recently switchen android phones. And i didn’t needed to set any wifi password nor restoring a backup… I could just access all my previously used wifi netbooks… I hope it was after i logged in to my google account. Nut it doesn’t feel like a secure system!

    Reply
  6. yamaha p85

    Effectively, I will be thus fired up that I have realized
    your post because I are already seeking good info
    about this for almost three a long time! You’ve got reduced the problem
    a whole lot certainly through scaning this history I have located a lot of

    brand new and useful information relating to this issue!

    Reply
  7. whatever

    “And the passwords are in plaintext, too. When you format an Android phone and set it up on first run, after you login to your Google account and restore your backup, it immediately connects to wifi using a saved password. ”

    This is unclear to me in my decaffeinated state.

    If I format an Android phone and set it up on first run, how do I login to my google account to restore a backup without first connecting the phone to wifi?

    Reply
  8. Bradford

    Knowing how to take such shots to capture
    the original emotion is often learned only through years
    of practice and experience. These few are some examples of different
    kind of photographs. Author JK Rowling has teamed up with
    Sony to launch a direct outlet, called Potter – More.

    Reply
  9. perth city to perth airport

    Years of service give you a perception of credibility and experience.

    They serve several destinations among them being Manchester
    city centre, Northenden, Fallowsield, Buxton,
    Disley and many more. Coach timetables are available
    online prior to the ski season commencing and tickets can be purchased from the coach hire desk.

    Reply
  10. best banner designer

    It is only in this way can any graphic designing company helps to serve you better.

    A second table can be the actual content of
    the site. Starting a business has very few upfront costs, and with the right skill
    set and attitude work can flow in rather quickly.

    Reply
  11. limo hire perth

    Once you arrive your money is now sitting at another curb for
    a few more hours while you are inside enjoying
    with family and friends. re just going home to unwind and eat dinner with your family.
    Compare the cars offered by several different limo services in Delaware and make sure
    you are paying for a limousine that will make
    it through the evening.

    Reply
  12. Pingback: Android Backups Could Expose Wi-Fi Passwords to NSA

Leave a Reply

Your email address will not be published. Required fields are marked *