September 20, 2013 /

The Hunt For False Security

Since Edward Snowden, Google has become the target of countless concern trolls. The latest attacks are just plain silly.

The Hunt For False Security

Ever since the NSA leaks started, one constant target of attack has been Google. There are some legitmate concerns out there, but this latest is just plain silly.

If an Android device (phone or tablet) has ever logged on to a particular Wi-Fi network, then Google probably knows the Wi-Fi password. Considering how many Android devices there are, it is likely that Google can access most Wi-Fi passwords worldwide. 

Recently IDC reported that 187 million Android phones were shipped in the second quarter of this year. That multiplies out to 748 million phones in 2013, a figure that does not include Android tablets. 

Many (probably most) of these Android phones and tablets are phoning home to Google, backing up Wi-Fi passwords along with other assorted settings. And, although they have never said so directly, it is obvious that Google can read the passwords. 

I have got a lot to dissect here, so please be patient with me. At the end I will give you a better way to secure your home network.

Android Settings Backup

This feature is a godsend to countless Android users. You get a new phone, login to your Google account, and all your contacts, settings, apps and even WiFi connections are there. The days of having to manually re-enter all that data are gone. Talk about greatness! 

But how does this work?

Well Google takes all the data from your phone and transmits it to their servers. But rumors are that Google stores this information in plain-text, meaning anyone with access to those servers can read it. Here’s Google’s statement on this:

Our optional ‘Backup my data’ feature makes it easier to switch to a new Android device by using your Google Account and password to restore some of your previous settings. This helps you avoid the hassle of setting up a new device from scratch. At any point, you can disable this feature, which will cause data to be erased. This data is encrypted in transit, accessible only when the user has an authenticated connection to Google and stored at Google data centers, which have strong protections against digital and physical attacks.

One misconception going around was that this data was transmitted in plain text, but that has been long known to be false. Considering Android is open source, meaning anyone can view the actual programming code, if this were the case we would have heard about it years ago from the tech community. 

So the issue now is that Google needs to encypt the data on their end.

The Proposed Fix

Here’s the issue discussion for fixing this. Basically the proposal is to allow the user to keep their password/key to the encryption on their phone. On the surface this makes sense, but it also raises other problems. 

People forget passwords. That is a fact of life. If you get a new phone and forget your old password, you would need a way to retrieve it. There’s a couple of ways this can happen, both with problems:

  • Reset it from Google Servers. Well this method means that Google is storing the key to the data you are trying to protect from Google. Guess what? You just gave up the keys to the house!
  • View it on screen. This is the better option, but a leading reason for phone replacements it the phone died or the screen no longer works. If you need to view this key on screen, and your screen doesn’t work, you are out of luck!

Basically there is no simple solution here.

Carrier Changes

Even if Google does put something into place, it won’t stop your carrier from replacing it with their own system. Most carriers, like AT&T, commonly replace default Android services with their own. We know AT&T has long been very cooperative with the NSA, so I wouldn’t put it past them to replace the backup stuff with their own. Of course that means once you change carriers, you also loose all your backups.

Forget the NSA, What About Dishonest Employees?

This is a very real concern and also a very silly one. To prove how silly it is, I suggest doing a quick Google of “Edward Snowden”. We are talking about these issues because of a dishonest employee. He was able to gain access to very secure documents from some of our nation’s most secured servers. Yes there are dishonest employees, but that will always be the case. The only way to combat that is through extreme legal penalties, which would require global changes.

False Security

Even if Google uses some of the best methods of encryption out there, guess what? If the NSA wants it, they will get it. The latest NSA documents leaked by Snowden says as much:

The National Security Agency has the keys to most Internet encryption methods and it has gotten them by using supercomputers to break them and by enlisting the help of private IT companies,The New York Times and The Guardian are reporting.

In plain English, this means that many of the tools — like TLS, used by many banks and email providers — that people worldwide have come to believe protect them from snooping by criminals and governments are essentially worthless when it comes to the NSA.

The revelations are the latest from documents leaked by former NSA contractor Edward Snowden.

Here’s the thing in the world of encryption, something I work in everyday. There is no such thing as unbreakable encryption. The very definition means it can be undone:

1. to put (a message) into code
2. to put (computer data) into a coded form
3. to distort (a television or other signal) so that it cannot be understood without the appropriate decryption equipment

To have encryption means you have to have decryption, through the form of a cipher, which usually comes in the form of a key or password. Even if you have the most complex algorithm in the world encrypting your data, someone can break into it. One of the most surefire methods is also one of the easiest – brute force. That is running a program against the data, randomly generating passwords and/or keys until BINGO! 

OMG! I Didn’t Know Google Did This!!!!

Well did you read the manual? It’s on your phone and even available online. If you were to lazy to read this, then the only one you can blame is yourself. That is the harsh and simple reality of your ignorance of this feature.

One Method To Protect Your Home Network

If you are still worried about Google having access to your home WiFi password, there is a rather simple solution. It will, however, cost you some money. Go out and buy a new router that has guest access. Here’s one such router available at WalMart for $90 and also the same router I use. 

What “guest access” does is creates an entirely separate network on your router. You can have no security, or totally separate security from your regular home network. That even means different passwords. On top of that, the guest network can’t access your regular/home network. A vast majority of Android users don’t need to access their home computers from their device over WiFi, plus can always do the hard cable method of transferring data via USB, so this won’t affect them at all. Use this new guest network for your mobile devices and Google no longer has the password to your regular WiFi network. 

This is the best solution available without having to cost you the convenience of Androids backup/restore service and I highly suggest it. 

 

 

More IntoxiNation

Comments