Sunday, May 29, 2011

Almost all Android phones vulnerable to authentication attack

Researchers at the University of Ulm in Germany have identified a vulnerability in Android that allows an attacker to steal and use authentication credentials on 99% of the phones that are based on Google's operating system

Google issued a patch to address the issue earlier this month as part of Android 2.3.4 (code name: Gingerbread), but getting that patch widely deployed is challenging because Android phones are made by so many different manufacturers.

From a blog post by the researchers:

We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.

ClientLogin is meant to be used for authentication by installed applications and Android apps. Basically, to use ClientLogin, an application needs to request an authentication token (authToken) from the Google service by passing an account name and password via a https connection. The returned authToken can be used for any subsequent request to the service API and is valid for a maximum duration of 2 weeks. However, if this authToken is used in requests sent over unencrypted http, an adversary can easily sniff the authToken (e.g. with Wireshark). Because the authToken is not bound to any session or device specific information the adversary can subsequently use the captured authToken to access any personal data which is made available through the service API.

News of the vulnerability is rippling through security circles. Sophos senior technology consultant Graham Cluley explains the challenge facing Andoid users looking to avoid this risk:
Unfortunately it's not always possible to easily upgrade the version of Android running on your phone as you are very dependent on your mobile phone manufacturer and carrier providing the update to you over the air.
There is a huge range of Android smartphones out there, and whereas Apple can issue a single iOS update to patch iPhones and iPads, things aren't so simple for Google's users. This fragmentation inevitably leaves Android devices open to security problems.

Google has promised to work with its partners to address this issue.

Forbes writer Kashmir Hill notes that the real answer may come closer to home.

Between this and Firesheep, the moral of the story seems to be to avoid using public Wi-Fi networks. These days, I only link my phone up to my password-protected wireless network at home. Other than that, I rely on my carrier's 3G network, even if I'm in a coffee shop that offers up free Wi-Fi. Using a public Wi-Fi network at Starbucks seems as casual an invitation for information theft as leaving your smartphone on a table unguarded while going to the bathroom is an invitation for the more visceral kind.

It's amazing how many times free can be costly.

(Update, May 19: Google announces fix.)

No comments:

Post a Comment