Use Android? You’re Probably Giving Google All Your Wifi Passwords

Posted July 11, 2013 in crypto mobile security

Go to your home screen, press the Menu button, select “Settings”, under “Personal” select “Backup and reset”. Is the “Back up my data” checkbox checked? If so, all of the wifi passwords that your phone remembers are being synced to your Google account.

And the passwords are in plaintext, too. When you format an Android phone and set it up on first run, after you login to your Google account and restore your backup, it immediately connects to wifi using a saved password. There’s no sort of password hash that your Android phone could send your router to authenticate besides the password itself.

Backup and restore settings

Oh, and Google is part of NSA’s Prism program. If an NSA analyst, or likely someone from CIA or even FBI (Prism is a “team sport”), asks Google for information about you, your house’s and office’s wifi passwords are likely included in that data. Without a warrant.

With your home wifi password, an attacker can sniff wifi traffic outside your house (without connecting to your network) and then decrypt it all, passively eavesdropping on your private network. If the attacker wants to do more active attacks, they can connect to your wifi network and mount a man-in-the-middle attack to eavesdrop on and modify any unencrypted Internet traffic. If you download a file, they can serve you a malicious version instead. An attacker can scan for computers, phones, and tablets that are connected to your network, scan for open ports, and exploit vulnerable services. If you have a computer connected to your network that you haven’t done software updates on for a couple weeks, or that you’ve never configured a firewall on, or that you’ve installed random servers on and have never touched them since, there’s a good chance the attacker could take over those computers.

Anyway, maybe you should uncheck that box. Google says that they’ll delete this data when you stop backing it up with them.

Delete settings from Google's server

Although it wouldn’t hurt to change your wifi password anyway.

Update: I have filed a feature request in Android’s bug tracker to offer encrypted backups, similar to the password sync options offered by Chrome and Firefox.

Update 2: The Android bug tracker isn’t the correct place to ask Google to fix this bug. The backup/restore feature is part of the proprietary Google apps for Android, not the open source Android project. This thread on the Google product forums is the correct place.

Legacy comments, imported from previous version of this blog:

whatever

September 13, 2013 04:38 AM

"And the passwords are in plaintext, too. When you format an Android phone and set it up on first run, after you login to your Google account and restore your backup, it immediately connects to wifi using a saved password. "

This is unclear to me in my decaffeinated state.

If I format an Android phone and set it up on first run, how do I login to my google account to restore a backup without first connecting the phone to wifi?

squiddle

July 11, 2013 11:38 PM

This feature of storing passwords in the cloud is available on other platforms/devices/services, too. It is not android only, the biggest contender in the mobile space, iOS, backs up your passwords, too. As with all (intransparent) systems it comes down to trust.

freediverx

July 12, 2013 03:28 AM

@squiddle "This feature of storing passwords in the cloud is available on other platforms/devices/services, too. It is not android only, the biggest contender in the mobile space, iOS, backs up your passwords, too. As with all (intransparent) systems it comes down to trust."

iOS encrypts all your data, unlike Android. Also Apple has dramatically different attitudes towards its users' privacy compared to Google and Samsung.

http://www.apple.com/apples-commitment-to-customer-privacy/

http://appleinsider.com/articles/13/07/05/samsungs-free-jay-z-album-delivered-via-android-spyware-app

Google's Eric Schmidt: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

micah

July 12, 2013 07:17 AM

iOS encrypts your data locally on your iOS device before sending it over the internet to Apple's servers to backup? Do you know what encryption key is used and where it's stored?

Companies advertise that they encrypt data, and they often do encrypt this data, however they also keep the encryption keys themselves. Dropbox is a good example - all your files are encrypted, however Dropbox can decrypt them themselves in response to law enforcement requests.

If iOS doesn't force users to memorize an encryption passphrase (the key would be derived from the passphrase), or if it's impossible to restore an iCloud backup from a brand new iPhone (the key is stored on the drive of the old phone), then their "encryption" doesn't mean much when it comes to Apple keeping your data private from themselves.

Hescominsoon

July 18, 2013 05:31 PM

I use spideroak...the data is encrypted before it leaves the machine and YOU keep the keys..they do not...they have zero knowledge and zero ability to get at your data.

Bill

August 11, 2013 07:00 PM

Micah: I can answer your question about iOS, and this information can also be found in the iOS security whitepaper as well as other 3rd party sources. Although most data in an iCloud backup is encrypted with a keybag stored in an Apple server, the keychain is different. It is encrypted with a hardware key that never leaves the device, and Apple does not know. For this reason, if you do an iCloud restore on a new device, you will get all the data back except for the passwords/private keys. If you do an iCloud restore on the exact same device, you get it all back.

In other words, this issue does not affect iOS devices with iCloud backup enabled.

limo hire perth

December 31, 2015 10:45 AM

Once you arrive your money is now sitting at another curb for a few more hours while you are inside enjoying with family and friends. re just going home to unwind and eat dinner with your family. Compare the cars offered by several different limo services in Delaware and make sure you are paying for a limousine that will make it through the evening.

download Styx Master of Shadows

October 22, 2014 10:01 AM

I consider something truly interesting about your weblog so I saved to favorites . download Styx Master of Shadows http://ow.ly/Daxen

No Name

August 12, 2013 05:52 PM

Thank you Micah. I didn't realize this setting was checked by default. While it appears to have a legitimate purpose based on Google's statement, nevertheless, I change devices only every so often. Barring the failure of the device, it will be simple enough to turn this back on just prior to upgrading to a new phone. No need to have it turned on continuously until then. And in the event the phone dies unexpectedly (likely unlikely - I tried everything short of taking a sledgehammer to my previous phone and nothing would kill it), there is absolutely no data on my phone and no app that I would miss. I do not rely on my phone as a system of record for anything and I can't think of a reason that anyone would. My advice is no one should - for all the reasons pointed out above.

Ketim

October 21, 2013 07:22 PM

Thanks for including the the link to to request the security feature addition.

http://Appspecialist.nl

August 5, 2013 02:09 AM

Interesting blog! Is your theme custom made or did you download it from somewhere? A design like yours with a few simple adjustements would really make my blog jump out. Please let me know where you got your theme. With thanks

Dahaniel

July 17, 2013 01:15 PM

How can you exclude that the data is encrypted with your Google credentials?

micah

July 17, 2013 01:25 PM

@flamsmark's comment #14 on the bug report explains it well: https://code.google.com/p/android/issues/detail?id=57560#c14

There seems to be some disagreement about whether this data is encrypted. I think that this confusion is because -- while we're all using the same word -- we're thinking of different designs. When Micah says "encrypted", he means that "Google can't get at the plaintext". If we apply the mud puddle test (http://blog.cryptographyengineering.com/2012/04/icloud-who-holds-key.html), we should conclude that Google *can* access the plaintext, because you can destroy a backed-up phone, change your Google account password or log in with an application-specific password, then get your data back. It appears that commenters 7, 8, 11, 12, & 13, are referring to to the prudent use of encryption in other places, such as ensuring that when this data is sent to Google, that is done over an encrypted link, or that Google or your phone store this data in an encrypted format (while also having access to the key needed to decrypt the data). It is thoroughly prudent to encrypt data in transit, at rest and so on. That's sensible security practice, and we would expect nothing less. What Micah is asking for is specifically the ability to encrypt the data with a key which is not accessible to Google, so that no matter who tried to force Google to give up this data, they would be unable to. Google simply would not be able to access this data.

crazy_crank

July 18, 2013 11:33 PM

For me, that is still no proof that Google doesn't store this information encrypted, in the sense they can't decrypt it themself. If you change your password, you have to enter your old password and your new password, so google has the ability to de- and reencrypt all your data during this process (Of course, in that moment it has to be decrypted and could be read by google, but that's not the point here). So restoring your backup after changing the password should really not be a problem and an indicator to unecrypted backups The only proof for me would be, if you use of the "password recovery" method, where you don't enter your previous passphrase. Have you (or anybody else) tried this and checked if his backup or at least his WLAN password still works? Don't get me wrong, but otherwise your arguments are a bit scanty. Looking forward for your reply

Android Backups Could Expose Wi-Fi Passwords to NSA

April 3, 2016 03:37 AM

[…] his personal blog, Electronic Frontier Foundation (EFF) staff technologist Micah Lee pointed out that the backup feature syncs all the network passwords your Android devices remember […]

Robot

July 12, 2013 01:16 AM

I really don't think the weak link is your wifi password. That would require the NSA being parked outside your house to listen in. Why do that when they can just tap your internet packets at your ISP? You should assume any internet traffic is sniffed en-route; that's what SSL is for...

Blue skies

August 12, 2013 04:16 PM

That's not a problem, plant something outside your place to capture and relay in real time not impossible. The advantage coming from LAN rather then WAN side is there is a lot less protections. They can intercept before it goes past your network (somes intercept before it exits via VPN) which means they don't need to compromise a VPN server to access your data. Finally they can more of a accurate idea who's computer and who is using it at that time.

rigelt

July 21, 2013 04:44 AM

micah

July 21, 2013 12:19 PM

I think they gave the same response (in English) to Ars Technica: http://arstechnica.com/security/2013/07/does-nsa-know-your-wifi-password-android-backups-may-give-it-to-them/

"Our optional ‘Backup my data’ feature makes it easier to switch to a new Android device by using your Google Account and password to restore some of your previous settings. This helps you avoid the hassle of setting up a new device from scratch. At any point, you can disable this feature, which will cause data to be erased. This data is encrypted in transit, accessible only when the user has an authenticated connection to Google and stored at Google data centers, which have strong protections against digital and physical attacks."

Anonymous

July 12, 2013 04:10 AM

Why do act like this is so earth shattering? How else would backing up passwords work?

micah

July 12, 2013 10:57 AM

It's not earth shattering, I just think that most people are unaware that they're giving this data to Google.

A better way to back up passwords would be to encrypt them with a passphrase on the phone first, similar to how Firefox sync works. This way you can still have all your data backed up by Google, but Google wouldn't have access to any of it. You would need your passphrase to restore a backup.

rigelt

July 21, 2013 04:39 AM

It's less about private wifi, but more about corporate wifi. In some companies the corporate wifi offers access to file shares and many many other "internal" services... (think of a data center with an internal web interface to control switchable PDUs, often the implemented security features are very weak)

yamaha p85

September 7, 2013 03:34 AM

Effectively, I will be thus fired up that I have realized your post because I are already seeking good info about this for almost three a long time! You've got reduced the problem a whole lot certainly through scaning this history I have located a lot of

brand new and useful information relating to this issue!

https://astrologiaagapikaisxeseis.wordpress.com/

May 10, 2017 07:23 PM

Hi, i think that i saw you visited my weblog thus i czme to “return the favor”.I'm trying to find things to enhance my wweb site!I suppose its ok to use a few of your ideas!!

perth city to perth airport

November 28, 2015 10:21 AM

Years of service give you a perception of credibility and experience.

They serve several destinations among them being Manchester city centre, Northenden, Fallowsield, Buxton, Disley and many more. Coach timetables are available online prior to the ski season commencing and tickets can be purchased from the coach hire desk.

best banner designer

December 19, 2015 05:16 PM

It is only in this way can any graphic designing company helps to serve you better.

A second table can be the actual content of the site. Starting a business has very few upfront costs, and with the right skill set and attitude work can flow in rather quickly.

dante

August 24, 2013 06:51 PM

I've recently switchen android phones. And i didn't needed to set any wifi password nor restoring a backup... I could just access all my previously used wifi netbooks... I hope it was after i logged in to my google account. Nut it doesn't feel like a secure system!

Bradford

October 13, 2014 02:13 AM

Knowing how to take such shots to capture the original emotion is often learned only through years of practice and experience. These few are some examples of different kind of photographs. Author JK Rowling has teamed up with Sony to launch a direct outlet, called Potter - More.

rajendra pandey

February 4, 2014 03:15 AM

very good