Google Knows Every Wi-Fi Password in the World

This article points out that as people are logging into Wi-Fi networks from their Android phones, and backing up those passwords along with everything else into Google's cloud, that Google is amassing an enormous database of the world's Wi-Fi passwords. And while it's not every Wi-Fi password in the world, it's almost certainly a large percentage of them.

Leaving aside Google's intentions regarding this database, it is certainly something that the US government could force Google to turn over with a National Security Letter.

Something else to think about.

Posted on September 20, 2013 at 7:05 AM • 87 Comments

Comments

AspieSeptember 20, 2013 7:32 AM

Sort of related and referring to previous discussions about tampering with algorithms and hardware. Does anyone have any ideas how easy/difficult it would be to have a back-door in standard broadband routers to facilitate probes into the systems/networks of domestic broadband customers?

Andy RaynorSeptember 20, 2013 7:46 AM

Is this issue limited to Google? I think MS added this in Windows 8 and Apple finally added WiFi synch to their latest iOS and OS X. The real difference is Android has done this for years and there's a bigger set of data, but the popularity of iOS will have at least two companies holding this data.

TomSeptember 20, 2013 7:48 AM

I don't understand. Of all the things to worry about the NSA knowing, what could they actually do with my WiFi password?

I live in rural SW England - I guess if they happen to have an agent in Somerset, within about 40 yards of my house, then he could snoop on my internet traffic...

WorrySeptember 20, 2013 7:58 AM

@Tom: "could they actually do with my WiFi password?"

Spy on someone relying on the security provided by a "secure" wifi network.

Think of journalists, Occupy Wall Street, governments, Petrobras, ...

JuergenSeptember 20, 2013 8:00 AM

Totally agree with Tom - I rather doubt the NSA does (or needs to do...) house calls. They'll have plenty of ways to get into your home computer without actually parking a black van in front of your door...

AndrewSeptember 20, 2013 8:03 AM

So when are we to expect an entertaining and enlightening analysis from the Big G about humanity's password habits?

Also wasn't G making bold statements lately - "Passwords are dead, long live the passwords"

AndySeptember 20, 2013 8:06 AM

Doesn't this give us plausible deniability for our home networks, while still being able to lock out the neighbours?

Secret PoliceSeptember 20, 2013 8:10 AM

NSA uses this to find people. Remember when they discovered the location of APT1 by remotely turning on WiFi and using it to geolocate them with APs nearby? Google also did a worldwide AP site survey, Google maps car did more than just take pictures

Clive RobinsonSeptember 20, 2013 8:12 AM

@ Aspie

    Does anyone have any ideas how easy/difficult it algorithms and hardware. Does anyone have any ideas how easy/difficult it would be to have a back-door in standard broadband routers to facilitate probes into the systems/networks of domestic broadband customers?

It used to be that those supplied by the broadband supplier had a "technical support" facility.

However many you can buy appear to have some control ability from either side...

I guesss "pays your money takes your choice" applies unless we are talking certain US OEMs...

tomSeptember 20, 2013 8:17 AM

@Clive Robinson: Is Cisco/Linksys one of the 'certain US OEMs'?? Which ones are NOT part of the 'certain US OEMs'??

Mike the goatSeptember 20, 2013 8:17 AM

More worrying is their use of known WiFi networks for geolocation. I am very cautious of 'cloud' services and certainly don't allow Google to backup anything to their servers. That said this is easier said than done with the default firmware on most cells. On first boot it asks you to select your WiFi network then prompts for the preshared key or 802.1x credentials. The next dialog box prompts you to login to your Google account or sign up for one (a Google account is pretty much mandatory unless you want to sideload apks or use a third party app store). Those who enter their details and click Next, accepting the defaults on the following screen and clicking Finish will have their WiFi credentials sync'd pretty much immediately.

This behavior also annoys people who want to use a Google account to access, say Gmail but do not want to sync other services. You can only control sync granularity once you have associated and connected the account. This means you have to afd the account and then quickly dash into the sync settings to untick, say Picasa.

To Google's credit I noticed that from ICS onwards there is a prompt when adding a Google account that lets you disable the device backup behavior. However it does not clearly state that your WiFi password is sent to Google. There is however still no way to disable specific sync settings /prior/ to beginning first sync, which sucks.

For this and a variety of other reasons stock Android is the least trusted of all my everyday computing devices. I run CM10.1 which I compiled from source (excluding binary blobs grrr) on my N4 and have not installed gapps thus have no Market.apk and have to manually load apks. I use K9 mail to connect to my Gmail account using S-IMAP rather than the official gmail client. I use the hidden appops feature to drill down into app permissions (e.g. disabling GPS fine location from apps that just don't need it). Unfortunately appops is also flawed as the permissions only appear when the app makes its first attempt to use them. I also use the excellent Orbot which can use iptables to transparently push everything down tor (never used for anything remotely important though).

I would love to install APG on my cell but I just don't trust the device enough. The only compromise I would be willing to make is create a subkey for signing only (and state it is a low assurance key for my cell in the comments). Ditto for ssh. I just can't entrust my ssh private key to my phone and my concern is not device theft or seizure.

People will remember CarrierIQ and the fiasco regarding its seemingly broad permissions. Unfortunately android just isn't even close to trustworthy esp with all the closed source binary blobs most phones require.

My 2c anyway.

I

BardiSeptember 20, 2013 8:21 AM

Does anyone use the "feature" of a router that only talks to a client if the client's MAC is in an internal list? That, in conjunction with running silent with the SSID would seem to keep a low profile along with a technique that, while not impossible to crack, would seem to cause a lot of time and effort to monitoring router traffic.

Mike the goatSeptember 20, 2013 8:24 AM

Bardi: this doesn't provide any additional protection as by running a WiFi card in promiscuous mode you can catch the chatter between the legitimately associated clients and the AP. You can later change your adaptor MAC to match one of the clients you discovered and chat with the AP.

wiredogSeptember 20, 2013 8:28 AM

Given the number of people (including myself) who reuse parts of passwords, or entire passwords, to make them easier to remember, I imagine it could be useful for Google to have access to them.

Yes, I know this is a bad idea. Somewhat less bad than writing them down and carrying the list with me.

WorrySeptember 20, 2013 8:33 AM

@Juergen: "cannot (easily) decrypt the rest of the traffic between the two devices with it"

No, but NSA has access to the local network of these device; NSA may now exploit IPMI, or another backdoor of its choice.

NSA may be replaced by Mossad, FBI, those interested to Petrobras, ...

AnonSeptember 20, 2013 8:37 AM

Regarding the wired connection, many ISPs now strongly pressure customers to not change the modem/router passwords from the factory-generated string (unique to each router and printed on the device label), because it removes their ability to remote troubleshoot for non-tech-savvy customers.

So, given that both the manufacturer and the ISP have a database of broadband modem/router passwords, the ISP knows where each is installed, and the vast majority are still in use, what are the chances that database has not been demanded by a NSL or hacked?

AspieSeptember 20, 2013 8:38 AM

@Clive

t used to be that those supplied by the broadband supplier had a "technical support" facility

This is what I thought, and doubtless such a useful feature would be retained.

So it wouldn't be beyond reason to activate a router supplied by the broadband service provider to do a little extra-curricular examination of any data that passes through it, even non-outbound data between devices within the same household?

So would a little off-loading of the traffic analysis with store-and-forward of "interesting" packets benefit a security agency?

Just batting around out-of-the-box thoughts.

(Asking for a friend, of course).

Anderer GregorSeptember 20, 2013 8:41 AM

I have to admit that I don't know the details about WPA2 here, but wouldn't this also mean that someone having this data (MAC, ESSID, Password) could easily pretend to be any of these known routers/AP to any other mobile device, including those that are not running Android?

@wiredog: At my university, students and employees each have the same password for University WIFI, VPN, computer rooms, email accounts, help desk, grades&certification system. I would think that many companies do the same. So anyone having the university WIFI credentials could easily access my grades, run software as myself, and every other aspect of ID theft as far as my identity as a student (or employee) is affected.

Jason SewellSeptember 20, 2013 8:43 AM

@Tom, I don't intend any disrespect, but your attitude, which seems to be "this doesn't impact me, so therefor it isn't relevant" is the exact reason we're in this mess. Sure, *you* may live in a remote enclave, but many people don't.

In some neighborhoods, you can easily find 50+ wifi access points in any given location. If you don't understand why a spy agency would find encryption keys for these access points useful, then I suspect you haven't really thought through the issue.

Mike the goatSeptember 20, 2013 8:43 AM

Bardi: also, it never ceases to amaze me how many weak APs there are out there. Many are susceptible to a reaver style brute force on the short WPS PIN. Some are still running WEP64. Many have default keys which are derived from either the MAC or serial number (the latter can be obtained via WPS), the early Thomson's being an example of note. Brute forcing is surprisingly effective for WPA2-PSK as many use dictionary words or permutations of dictionary words (e.g. 1-2 chars before or after a word, first letter of a word capitalized). So many use telephone numbers as keys (given you know the area code you can really cut down on brute force time) and others use their date of birth. I often run a six and eight number run to get these. The eight number brute force also gets a lot of portable hotspot devices that use an eight number key for some reason. By far the hardest one I have broken into (pen testing for a client, not illict) was a DSL modem with an integrated WiFi radio. After finding the model using WPS interrogation (reaver attack failed as WPS is shut down until next reboot after about ten unsuccessful tries on this model) and looking at a few screenshots of their settings pages I determined that the default password (which I knew was likely unchanged as the default SSID remained) keyspace was ten digit hex with upper case characters only, so 10^16. Given that just pumping the output from say crunch would result in the key being cracked sequentially (e.g. 0000000000, 0000000001 etc.) I hedged my bets with a little python script that semi randomly pecked through the keys. I cracked it on two Core 2 Duo machines each with a 5970 Radeon graphics card within 12 days. Of course I was lucky but a determined attacker with nothing but time would eventually break in.

Given these are offline attacks there is no risk of discovery and the task can be parallelized. I have even heard of people using amazon GPU instances to do just that. There are cloud services that you can upload your pcap file to like Moxie Marlinspike's cloudcracker or the free besside-ng servers.


Michael.September 20, 2013 8:47 AM

Welp. I guess that's another reason not to have a "smart"phone (i.e. they don't know my wifi password).

What I don't understand is why Google has access to the password at all. Why isn't it encrypted before being sent?

Google should do what Mozilla does with Firefox Sync. Everything is encrypted on the machine. Moreover, if you don't trust Mozilla to do it right, you can run your own sync server (see: http://docs.services.mozilla.com/howtos/... ).

And that's why I trust Mozilla more than I trust Google. (Not that that is hard, as I don't trust Google at all.)

roscoSeptember 20, 2013 8:50 AM

It's becoming difficult to find a phone which has reasonable features but which isn't affiliated with one of the major web services companies (Apple icloud, google account, windows, etc).

I'd like to move up from my monochrome-screen Nokia to a smart phone but all the extra complexity and security concern just isn't inviting. And many people simply don't need all those synching services. We're having it forced upon us. The manufacturers make it very difficult to remove and disable these features and we still don't know what's going on behind the scenes.

It would be nice to have the equivalent OS on a phone to what we have in a basic Linux desktop operating system on the PC.

When someone makes a phone/OS with decent email app, web browser, decent camera, and no services I'll put my cash on the table.

Projects like Firefox OS and Cyanogenmod sound promising but still aren't entirely user friendly installation processes for regular folk.

Mike the goatSeptember 20, 2013 8:54 AM

Michael: supposing they AES encrypt the WiFi key using your Google account password before uploading it to their servers I am not sure you would gain all that much. Even though Google probably don't store your Google password in plaintext and likely use a hash function like SHA256 they will still be able to just wait for your next logon to a Google service and pull the cleartext password out then. The only thing I can think of that would work is using the SIM's crypto function. But the restore function is intended to help those whose devices have been stolen. Without access to the USIM then decryption would be impossible.

Mike the goatSeptember 20, 2013 9:00 AM

Rosco: I wish Replicant AOSP project was more actively developed and supported my nexus 4. I agree with you wholeheartedly - it would be great to have something that has been engineered and not just hacked together. Android feels like the latter and really the whole reliance on a Java VM sucks. It sucks performance, it sucks battery longevity... It just sucks! Maemo looked promising in the early days but lost its way.

GentooAndroidSeptember 20, 2013 9:03 AM

@rosco: "user friendly installation processes"

I am creating one, see gentooandroid.sourceforge.net

@rosco: "user friendly installation processes"

It is not user friendly, except that it does not need unlocking or rooting. It may become more user friendly if you feedback on it.

md5sum d127df34b70923470a6608ea608bee0f, sha1sum 2c07ff43d2c8c8095fc0139adc93edbdcdece60e for /home/goujot/Downloads/gentoo_armv6l_unrooted_unlocked_android_v5.tar.bz2

Dr TSeptember 20, 2013 9:10 AM

@Aspie, I recently added a second router between my ISP's and my internal network, for that very same reason. I don't trust the ISP's router, but never had had enough of a push to setup the double wall to prevent it from seeing all the internal traffic. Thank Snowden it's now done at last.

Mike the goatSeptember 20, 2013 9:19 AM

GentooAndroid: if I understand this correctly especially given you are saying it doesn't require root is this just running gentoo in a chroot environment or is it for specific chipset devices which happen to be able to boot from SD like some Chinese tablets?

If its a chroot then it is running on top of android's kernel and all the android junk is still resident so I can't see a security advantage.

Ideally I would like to junk android and just run a clean self compiled distro and X11 perhaps with a wm optimized for touch.

The only real barrier to this is the radio drivers and baseband. Oh and camera... And FM radio... Etc.

:-(

AspieSeptember 20, 2013 9:48 AM

@Dr T

That could work, if you can trust the second router.

(Thank Manning you didn't take the Snowden's name in vain.)

Preston L. BannisterSeptember 20, 2013 9:53 AM

Last I knew, wireless security was pretty easy to crack, for a skilled attacker. Do not know about the latest deployed standards. If still true, having passwords may not mean much.

Flip this around. Is it possible to get strong security on a wireless network? Custom router, phone, and computer software, if needed, makes this hard.

FilbySeptember 20, 2013 10:03 AM

This was set in my Asus tablet.

I do not think it is that important what Google is doing with this data (they are just the data collector for the US government) except unless you live in those countries where Google supports uprisings.

@Andy Raynor and others
My company would like some references to that Microsofts and Apples product actually do this, so if you know of this in those products, can you provide more info?

Ewan MarshallSeptember 20, 2013 10:08 AM

@Aspie Most ISP provided routers I've seen have a second admin user account for the ISP to access. Often it is hidden, and a sometimes it is right pain to remove. The ISPs claim it is so they can push remote updates (I know of plenty of more secure methods that don't require the very definition of a backdoor). Given most home routers in the wild are ISP provided on default settings I seriously doubt they even need the backdoor anyway? Who knows the algorithm to generate the default admin password and wifi key from the serial number the router is broadcasting?

P.September 20, 2013 10:11 AM

I'm sure that the NSA already thought about it, submited the letter and recieved the DB and updates since...

Mike the goatSeptember 20, 2013 10:15 AM

Preston: WPA2-PSK is pretty robust providing you use a secure passphrase. You could generate a reasonable pseudorandom passphrase by doing something like this :-) (hacky, yes!)

head /dev/urandom|openssl enc -e -a -aes-256-cbc -k crap|head -n1|cut -c10-126

Mike the goatSeptember 20, 2013 10:21 AM

@Ewan: when I took over responsibility for security in the NOC of a medium sized ISP about a decade ago I performed an audit of assets and was surprised to learn that almost all of our ISP supplied DSL routers had tftp open to the world. Yes, that's right - anyone could push a firmware image onto the device. So that doesn't surprise me in the slightest. There were routers with vulnerable Cisco iOS versions installed not to mention Linux boxes running Slackware from about 1994. Throughout the following few years we upgraded everything from the RADIUS servers, the lns's used to terminate DSL tails and mail (the mail server ran a vulnerable sendmail). The ISP had been hacked on numerous occasions and /etc/passwd (no shadowing) stolen in the past. Prior to my contract no security guy had been employed by them - just hacks who had MSCE and no idea in regards to keeping Unices secure.

jggimiSeptember 20, 2013 10:43 AM

Preston asked, "Is it possible to get strong security on a wireless network?"

Sure. Up until this week (I'm moving) I had a WiFi access point where I used VPNs rather than WPA or WEP. The VPN technology was either IPSec for workstations or L2TP/IPSec for phones. No "special" equipment needed; just a general purpose computer with multiple NICs functioning as combination router/firewall.

I had access configured this way for historical reasons -- my original access point was pre-WPA hardware and I refused to use WEP -- and kept it this way over the years because the "open" access point was convenient for guest use. Access to the Internet via the open access point was controlled via the firewall.

Mike the goatSeptember 20, 2013 10:46 AM

Preston: . . . and sure some would say why not just base64 the random data like head /dev/random|base64 -|cut -c1-63 rather than AES encrypting the junk. Well, this is where Goebel's Theorem comes into it. Goebel postulates that where there are two ways of doing something, one simple and the other pointlessly over engineered you must always choose the latter just so it looks fancy. ;-)

PhilSeptember 20, 2013 10:47 AM

One thing I don't see mentioned here:

If you connect to a work network, odds are it's using WPA-Enterprise, and you're almost certainly using a username/password-based EAP mechanism like PEAP/MSCHAP.

Your credentials for that wireless network are almost certainly the same as for the rest of your corporate resources - VPN, email, file storage, financial system, voicemail - and every time your corporate password changes, you'll helpfully put the new value into the phone...

The risk factor there is considerable. If an NSA employee wants to access "Widgets Gmbh." internal systems, they could serve a suitably-worded disclosure to Google to extract the saved wifi credentials of a target user, then just log in.

Google should be encrypting this data with a client-side password, in the same way that synced Chrome bookmarks/data are. Sure, you have to trust the encryption, but the current setup is just beyond weak.

Mike the goatSeptember 20, 2013 10:56 AM

Phil: really there is no need for Google to even backup WiFi passwords. Calendars, photos, documents, even call metadata for the recent/missed call log would all be useful to have were your device to go "walkies" or somehow be destroyed. Is retyping your wireless credentials really that much of a big deal in that event? This really seems fishy.

Nick PSeptember 20, 2013 11:02 AM

@ Bruce

Another reason I'm a fan of routers supporting two WiFi modes: one for internal network and one for Internet access. Can keep the latter on these devices b/c that what most people use phone WiFi for anyway. Eliminates part of the risk.

David DonahueSeptember 20, 2013 11:13 AM

@Tom: "what could they actually do with my WiFi password?"

They could wait until you say something they don't like, upload some child porn from a laptop connected to this supposedly "secure and cryptographically authenticated" network and use the "authentication" provided by that as "proof" it was actually you that did the crime.

As an alternative to making you go to jail for the rest of your life, you could be forced to abuse the Trusts your profession position grants you, such as your employer's secret SSL keys (for MitM attacks) and providing access to Internet traffic / emails, etc. they want to monitor.

DBSeptember 20, 2013 11:16 AM

"Why would the government ever care about poor little ole me" is NOT an excuse to allow the government to steal every little piece of private information possible about you to do mass searches on! It should not be rendered impossible for any two humans to EVER communicate privately ever again on the entire planet! That's oppressive!

If they didn't care, why are they stealing all our information? Obviously they very much DO care, or they wouldn't be doing it!

And people who don't seem to mind, obviously have never lived under a totalitarian/dictatorship type government before. Well you need to grow up! Since our modern democracies are behaving more and more like dictatorships (i.e. making it illegal to report a crime the government is doing, squelching/intimidating/controlling the press, etc), you need to learn to get more worried, before you're personally really in trouble! Every holocaust starts with "other people" before it begins to affect you personally, of course!

fooSeptember 20, 2013 11:33 AM

Why assume it's only the gov having this data? There seems to be no access trail and the NSA still doesn't know what Snowden has taken away. Other people most surely have stolen this data and sold it to foreign agencies or terrorist groups.

There sure is a use case for shady elements making use of your WIFI in your name.

Nick PSeptember 20, 2013 11:53 AM

@ Mike the goat

"Phil: really there is no need for Google to even backup WiFi passwords. Calendars, photos, documents, even call metadata for the recent/missed call log would all be useful to have were your device to go "walkies" or somehow be destroyed. Is retyping your wireless credentials really that much of a big deal in that event? This really seems fishy."

Just seems like a normal convenience feature to me. They backup all your stuff so you don't have to worry. Wait, the lay person must go through trouble to get online again? Aggravation. Google's superior backup option to the rescue! The full-featured, increasingly vulnerable, and highly satisfying Android just got more of the same traits. ;)

@ Phil

Good point on the corporate access and the "Gmbh" reference. Yes, NSA could use this feature in cooperation with Gmail for easier spying on foreign companies. Another reason to want the feature gone or modified so only the client knows the password.

XelandreSeptember 20, 2013 12:20 PM

In any case, this database certainly isn't accidental, considering that the Google Maps car has been collecting SSIDs as it went along, causing a furore in Germany.

They have your mobile device's GPS data, they know which routers they access, and they know exactly where those are located. I can see applications for this.

Speaking of routers, you should also consider threats coming from the inside of the network.

Around 2009 I bought a terabyte network drive, for backing up and/or sharing data from individual computers. The manufacturer's name is an antonym of Eastern Analog. I had already bought a few such devices over the years from various sources, which all proved to be utter failures for one reason or another. Either the software was broken, or the device itself broke down. My latest acquisition did not disappoint me, at least initially.

Last year I did some routine configuration on my router, and incidentally blocked all incoming and outgoing internet access for the drive. I had no particular suspicion or reason for doing this, but thought it was good hygiene.

I was flabbergasted when I started seeing the router's log filling with rejected requests, which mostly concerned ICMP packets.

Here are some of the IP addresses the drive was apparently attempting to ping or connect to:

2.27.151.99, 94.66.151.221, 82.58.203.241, 79.147.68.210, 220.137.199.15, 88.233.6.57, 24.13.44.136, 190.88.92.48, 46.116.165.115, 188.4.152.167, 46.7.169.239, 220.137.199.15, 188.221.165.133, 85.85.189.57, 187.175.52.95, 220.137.199.15, 115.241.111.58, 46.12.19.51, 72.27.171.38

The sample covers hardly one half hour of traffic, and the IPs are spread all over the planet.

I am entrusting private and possibly sensitive data to this drive. I would NEVER have expected such a device to establish ANY kind of outside connection without my knowledge or consent.

What in hell is it trying to ping Pakistan or Belize or Saudi Arabia?

There isn't a word in the documentation about this, and I have scoured the internet to find out whether other people have noticed this. To no avail.

I have renewed the firmware on the thing in case it had been befallen by some kind of worm, but the behaviour remained unchanged. On the face of it, it appears to try to build some kind of network map. After about two years of traffic filtering this type of rejection has quieted down, suggesting that there was an internal list of active IP addresses that was being maintained, but the device still attempts to find out what nodes are in the neighbourhood.

Stupid feature, stupid programming, or is there something more sinister at play. I'd have to look into this with a packet analyser, but the router blocking should be enough, as long as Mr. Google doesn't try to come in through the RF channel.

wifi robinSeptember 20, 2013 12:59 PM

Leaking wifi credentials is shit security. Complain loudly to any vendor that does this. It can leave open to attack ALL unencrypted LAN comms and all behind-the-firewall open ports.

For $159.95 Wifi Robins (http://wifirobin.org/) sells an 802.11 antenna with a high data-rate reach of at least two miles, and it's easy to DIY your own highly capable wifi antenna.

Anyone who thinks that their 2W wifi beacon can only reach across the street or barnyard is being foolish.

Kevin LydaSeptember 20, 2013 1:08 PM

WHY. DOES. THIS. MATTER?

Ahem.

Seriously.

Why does this matter? You need to be in physical proximity to use a wifi network. And if you're in physical proximity you'll generally be able to break into nearly all wifi networks.

So with all that in mind...

why does this matter?

sniperSeptember 20, 2013 1:32 PM

WHY. DOES. THIS. MATTER? … You need to be in physical proximity to use a wifi network. And if you're in physical proximity you'll generally be able to break into nearly all wifi networks.

You obviously haven't bothered to read the post or comments. One answer was posted immediately before your question.

And this post isn't paranoid enough -- anyone can purchase the Wi-Fi 'Sniper Rifle' with a range of 10 miles. Giving private access to anyone within 10-mile radius isn't the best way to protect your personal information.

FilbySeptember 20, 2013 2:11 PM

Depending on your disposition, this may or may not currently matter for individuals in the US. But people should be aware that all that information will eventually get to the government. Its not the only piece of information either, as they are also getting the SSID and some other stuff.

[esp. paranoid material]
I would like to know how much snooping could be done through the cell phone towers, if these had equipment to also connect to nearby wifi networks.
[/esp. paranoid material]

Anyway this matters for corporations that may have reasons to keep their wifi details secret. For example there is zero guarantee from that advertizing company that their employees do not misuse this information.

Besides it also matters to people living in some foreign countries, some of which are US allies (note that this data will get to US gov't due to those backdoors that that advert company denies) but still have depressive domestic policies. Such as the 'Stans located between EU and China.

Dr TSeptember 20, 2013 2:11 PM

@Aspie, I certainly trust it way more than the ISP's. It is made by another country too, and runs a non standard firmware (to which I have root - placebo as it may be). So while I can't be certain ever, I'm pretty confident it is a good bit better.

Maybe I should be trying to get a third router from China... just to be really sure...

Is there a Russian router manufacturer ? :)

Bauke Jan DoumaSeptember 20, 2013 2:13 PM

"Wireless Fidelity", "Do no Evil".
In the meantime they unscrupulously store it all.

O tempora o mores.

Can a case be made to take a step back, and turn to using
flag semaphoring for one's comunications?


bjd

FilbySeptember 20, 2013 2:25 PM

Apropos Google and Android tablets: would anyone know where to find instructions for removing some of the Google components from Android tablets?

I am interested of checking if I can e.g. remove the voice search option. I have worked a bit with the adb tool in the Android SDK but would like to have some more details on what is "safe" to remove (and what is not).

GodelSeptember 20, 2013 5:49 PM

@Tom As I understand it, They not only have the password of your Wi-Fi network, but EVERY Wi-Fi network that you have the password for, which may include corporate networks that don't wish to share.

Also there's been various questions above on the security of routers.

"A Baltimore-based security firm has evaluated thirteen mainstream routers used by consumers and small offices to connect to the internet, and found all of them vulnerable – 11 of them remotely." Hmm.

Unfortunately they haven't tested any of the replacement router firmwares, such as Tomato, DD-WRT, OpenWRT etc.

http://www.infosecurity-magazine.com/view/31923/...

Mike the goatSeptember 20, 2013 11:59 PM

Filby: just remove the apks you don't want (and the odex files if your ROM isn't deodexed), e.g. for search and google now delete Velvet.apk

Hitlers HairdresserSeptember 21, 2013 2:33 AM

>You need to be physically near my network...

No, the NSA (or criminals) just need to pwn a computer anywhere near your network and then activate the wifi on that system, and break into your network by either entering the handy google archived password or cracking the WPA2 handshake. Moxie Marlinspike offers this service for $17 so do any Bitcoin pools https://www.cloudcracker.com/

They may also just use it to locate you. If google has a list of geolocations and wifi passwords/AP names and maybe even MAC addresses that's a goldmine of intel.

This comic basically sums up google right now http://i.imgur.com/0MK0NPp.jpg

For more interesting Google stories, check out Assange's meeting with Eric Schmidt http://thestringer.com.au/...

Andrew YeomansSeptember 21, 2013 5:26 AM

Surely a bigger issue is that details of all the WiFi access points you contact are being stored. And potentially correlated.

Are you sure that an AQ suspect isn't also using an access point that you use? Or has similar travel patterns? Or are you sure your phone isn't broadcasting details of all those old APs when looking for a connection, thus allowing passive identification of your location?

In this scenario, the password would be acting more as a validator of the SSID, to make it plausibly unique.

mesrikSeptember 21, 2013 5:34 AM

WHY. DOES. THIS. MATTER?

Just thinking of NSA's objective it's not so much about being able to "use" someones wireless lan but to be able to passively listen it sure is.

And before hurrying squashing it impractical. Think what they did with now known as Aquacade and formely Rhyolite's above before it was understood it was feasible.

Wi-Fi signals are much weaker (~ 1/100) of what commonly are used with microwave links technology has advanced quite a bit of that feat and we don't yet have idea what clandestine cargo has been hauled above. Having a few very satellites with very large ears (a football field sized or more), something like umbrella type antennae unfolded might be enough. And definitely data network signals with checksums etc. are much easier target for making sense in large volumes than analog signals back in -80's when signal is weak and SNR not ideal.

Having password's for the Wi-Fi's available would of course be convenient and avoid cracking would be certain value too.

That's just food for thought for you all.

ps. It would be nice someone to do in depth analysis how far those wi-fi signals in free air and space do spread. They certainly do not reflect back from ionosphere. Google with it's loon project is't using AFAIK much power at all to get up to 20km.

Kevin LydaSeptember 21, 2013 9:24 AM

"""You obviously haven't bothered to read the post or comments. One answer was posted immediately before your question.
And this post isn't paranoid enough -- anyone can purchase the Wi-Fi 'Sniper Rifle' with a range of 10 miles. Giving private access to anyone within 10-mile radius isn't the best way to protect your personal information."""

I live near the border of Galway and Mayo in Ireland. It's a very hilly and rainy and tree-filled area and there are parts of my house where you can't get a mobile signal. Also note that houses here have wi-fi resistant walls - I actually use two wifi routers to cover my house and I live in a single floor bungalow.

But OK, let's say the NSA is putting listening stations in Ireland to track wi-fi traffic here. There's a history of terrorism here and connections with Middle Eastern terrorists, so why not? Say each listening station can listen in on 400 square miles of traffic. Ireland itself is 32,000 square miles so that means there needs to be 80 listening stations here. That's kind of a lot.

But that's nothing compared to America. America is 3.7 million square miles. That's 10,000 listening stations (and this is a hugely optimistic view of how effective a listening station might be). And I've done road trips across the States where the auto-station finder on my radio cycled through the dial for the better part of an hour (Pennsylvania).

Plus the DB will always have holes in it. Google saves your wifi password *if* you use an Android phone. I know people who have wifi routers who have no wifi devices. I have wifi passwords for networks that no longer exist or that now have different passwords (including a few Google wifi networks).

So if you're going to break into wifi networks you're always going to have to do the wifi security cracking method in some networks.

There are insanely better ways to snoop on people. This is a very few dumber ones.

Snidely WhiplashSeptember 21, 2013 11:57 PM

@Brent Rockwood (and Bruce): Yes, this almost certainly happens on iOS as well. On an iPhone, go to Settings > iCloud > Storage & Backup. Under "iCloud Backup", the explanation says "Automatically back up your camera roll, accounts, documents, and settings"

Thus Apple has this information as well, if the person uses iCloud backup. So much for wireless network security.

QwertYSeptember 22, 2013 4:05 AM

Kevin, are you claiming that since it is not possible to easily get everything via this single method, then it would not be considered ?
That is an odd claim to make. After all, the NSA does a lot of things from which they can not easily get everything. The point here is that if you want something, then having more tools increases the likelihood that you'll get at what you want. You don't throw away your screwdriver just because it only works with a particular screw size (I know of screwdrivers with multiple heads, in case anyone's wondering whether to add a smartarse comment).

EphSeptember 22, 2013 4:06 AM

It's a great way to do targeted attacks. You get the WiFi password and SSID of your target, you follow said target, and you fake a WiFi access point, set up with said SSID and password. His phone will connect to this fake network, trusting it like it wold trust the home network. Bumm, perfect MITM attack.

Mike the goatSeptember 22, 2013 5:15 AM

Xelandre: wow, that is seriously suspicious behavior. Obviously you would have downloaded the clean firmware from uh, Eastern Analog and reflashed the device. Given how port 80 web based administrative interfaces are now ubiquitous on consumer hardware one has to expect that our l33t skript kiddies have been thinking long and hard about owning these types of embedded devices. I am speculating but perhaps embedding a nice little AJAX payload on owned websites to open a connection to what they suspect will be the target device IP (if I was targeting a NAS in a home environment would go for 192.168.1.2-21 and 192.168.1.100-20 and of course the same in 192.168.0.x as most home DSL modems start their DHCP pool at .2 or .100 and most home networks have less than twenty hosts), authenticate yourself (generally just a POST request, some older devices use http basic auth) using the default username and password and then submit another posting your URL to the firmware update CGI.

The device dutifully updates its firmware (very few devices do anything more fancy than a simple checksum to make sure the image isn't corrupt, clearly this could be stopped by signing the image) and your custom code is loaded.

Given most of these devices are running embedded Linux you have got a pretty fully featured environment to play with. It could connect to an IRC command and control channel, perhaps send back anything interesting it finds on the NAS, see what is on nearby SMB shares (so many people share the root of their C drive!), perhaps use fake ARP to setup a MITM attack, etc.

The risk to modems is even greater as we know what internal IP the modem will use (given we are targeting a specific manufacturer and model) by default and all the traffic is flowing through the modem.

Given many ISPs bundle a specific model of DSL modem with their services it would make sense to perhaps spam specific customers of an ISP and either put the malicious js in the htmlified email (many clients would block it) or trick the user into opening a website with the exploit on it. Then bang its game over.

You wouldn't even need to make a custom firmware. Just craft a request that logs into the modem interface as admin/admin (or whatever the default is) then either turn on remote administration and then the second part of your script can pull a file from the attacker's web server so you have their IP in your access_log (or submit your IP to the modem diag page to ping and use your firewall logs to keep track of the newly compromised) and then you can craft your own attack rules at your leisure.

There was an attack a few years back in a foreign country that did something very similar and changed the modem's DNS to point to one owned by the attacker that had poisoned responses for some of the local banks. If I could remember the paper where this was mentioned I'd include a link. It was Spanish language.

But why stop there? Once you have remote admin many modems slow you to enable telnet or ssh. If you had that kind of access you could do pretty much anything but even if all you have is a web interface you could always check the ARP cache for targets and then one after another update the DMZ host so you can port scan and potentially attack each host behind the NAT. You could write a little python/scapy script that did this in an automated fashion. You could also add ipfilter rules to redirect traffic of interest.

Mike the goatSeptember 22, 2013 5:23 AM

@eph: exactly. Even if the WiFi data isn't useful to them all the time there will be situations where being able to quickly obtain the WPA2 key without brute forcing it. The NSA will take whatever they can get.

horseshoeSeptember 22, 2013 9:00 AM

Here's a question: what if Google agreed to stop backing up passwords. Or you set your settings so that it's not backing up to Google. How do you really know? Is there any way to verify this sort of thing? I don't know for sure, but I am thinking not. Is that the elephant in the room? Even if we outlawed this and backdoors and interception of phone data, etc, how would we ever know whether it had really stopped or not? Technically, is there any way to tell?

HansbertSeptember 23, 2013 2:59 AM

A list of, say, 50% (by number) of the world's WiFi passwords might well contain >99% (by uniqueness) of all passwords. Put these in a dictionary attack and you got more free computing time for the more difficult crypto tasks.

GentooAndroidSeptember 23, 2013 5:24 AM

@Mike the goat "all the android junk is still resident so I can't see a security advantage"

Yes. But you can stop using Sync, phone directory, Google Maps, ...

If you do not trust android after audit of its public source code, you should not trust all the source code of a linux distribution (that was what you initially asked).

There are at least two visible attacks:

http://research.swtch.com/openssl for Debian
http://www.zdnet.com/... for Gentoo

Even Openbsd was compromised (difficult to exploit for anyone else than NSA):

http://web.archive.org/web/20120103060415/http://...

@Mike the goat "If its a chroot"

chroot is not available as it requires root.

gentooandroid is in a subdirectory, semi-automatically prepended at compile time to all paths.

Mike the goatSeptember 23, 2013 6:55 AM

Gentooandroid: almost everyone who would want to run gentoo on their android would have root on the device. Furthermore your statement about not trusting the source code is a bit misleading. I do trust the source, I just don't trust that the binaries are necessarily compiled from the same source.

Unless you are running a Nexus device where full source is available (although some drivers are binary blobs, so we have trust issues here too) or you are using a device which supports Replicant or has a working cyanogenmod port you can't (easily) compile your phone firmware from source.

Of course you can delete the apks for all the crap you mentioned (if you have root and can remount /system rw) but you are still going to have the android UI and dalvik resident.

A far superior solution would be to have a working ARM linux that has nothing android within it. Of course you would have to work on x11 server for whatever graphics hardware you have in the phone or tablet but provided you can do this, you could have a normal Linux environment.

I just don't see any security advantage in running what you are describing. Sure, you'd have a more complete userland and could do normal Linux stuff on your android device but you still are relying on android components.

GentooAndroidSeptember 23, 2013 7:12 AM

@Mike the goat "I do trust the source [...] I just don't see any security advantage in running what you are describing."

You should no more trust unaudited source code more than the "compilation" process, after what Snowden revealed. Although I admit that binary blobs are a problem.

I admit there is no "security advantage" in using gentooandroid. Only the possibility to leave a smaller footprint of your life (work/private) on what Android is used to recognize.

As I was told in personnal communication from Openbsd's members, the problem is not X11 but the wireless chips (phone).

Autoconfiguration of X11 chose the drivers modesetting and fbdev in my case.

GentooAndroidSeptember 23, 2013 7:24 AM

@Mike the goat "almost everyone who would want to run gentoo on their android would have root on the device."

But you lose warranty.

The secure future may be OpenBSD, or better www.scs.stanford.edu/histar, or best some OS rewritten in Parasail language.

Mike the goatSeptember 23, 2013 7:24 AM

Gentooandroid: well, that's right - a Ken Thompson style compiler attack could take perfectly audited source code and poison it, but at some point you have to say "this is as far as I can take this" given that hardware, microcode etc could also be compromised.

Given we are talking about mobile devices that are running a completely opaque and closed source radio baseband along with binary drivers for everything from 802.11 to capacitive touch there are plenty of places a nasty surprise could hide.

I wasn't claiming your software wasn't useful - a full glibc and Linux userland would come in handy to a lot of users, just that as it is running beneath the cellular manufacturer's firmware it can be subverted just as easily as, say a native Android app.

Mike the goatSeptember 23, 2013 7:30 AM

GentooAndroid: given the statements made about iPhone jailbreaking not voiding consumer protections including warranty In would assume that rooting your device would fall into the same bucket.

Of course they won't (and shouldn't be expected to) honor a warranty if you bricked your handset playing with the boot loader /but/ if a hardware fault develops that is demonstrably unrelated to rooting then they have an obligation to fix it.

I can personally vouch for the fact that motorola fixed my touchscreen despite the fact I had unlocked the boot loader and was running a custom ROM. The only thing they asked of me was to restore the stock ROM using fastboot to ensure the problem wasn't caused by bad third party software .... Which is a reasonable request IMO (like a laptop vendor asking that you do a factory reset / restore of stock OS image before raising a R.A.)

Mike the goatSeptember 23, 2013 7:38 AM

GentooAndroid:
I don't trust OpenBSD. This is a subjective thing. I have absolutely nothing concrete to base this on. I don't trust Theo nor do I agree with the architectural decisions they've made. Their claim "no remotely exploitable flaws in the default install since xxx" (paraphrased as I can't be bothered looking it up) sounds impressive but when you look at how limited the OpenBSD base is then it isn't really that surprising.

Maybe the fact that DeRaadt is a pain in the ass affects my opinion ;-)

GentooAndroidSeptember 23, 2013 8:18 AM

By "compilation process" I included the compilation process done by Google itself after eventual NSL coercition.

I think we overall agree, except maybe about the usefulness of software warranty.

I am neutral about OpenBSD.

RKSeptember 24, 2013 8:11 AM

What good is a bunch of passwords and SSIDs? May be I am not understanding - if I had a million passwords, I still couldn't do anything with it - unless I know where the SSIDs belong. And even if I did, I get access to bandwidth? Thats it?

Of course, it is not acceptable that Google saves it - but I am at loss what the big issue is.

Mike the goatSeptember 24, 2013 9:35 AM

RK: Google maintains a database of SSID and MACs that its Street View trucks sense whilst mapping neighborhoods, so it is quite likely they can determine location. That said, I suspect its real utility would be in obtaining your password (hopefully username too in the case of WPA2 enterprise) as many people are guilty of password reset.

A more disturbing trend is the Android Market loading applications and updates without user consent. For example the recent "Google settings" apk was pushed out through Market and not via OTA firmware update channels.

So it is true. They can target your cell and load arbitrary code without user consent whenever they please. An attacker who gainsn your Google account credentials can also login to the Market on a web browser and install a piece of software on to your device without physical access. Many of the phone security "phone home" apps will activate by default when installed. Easy remote access.

Not many people are aware that there is such software built into later versions of android and it is enabled by default. Google "android device manager".

WaelSeptember 24, 2013 10:02 AM

@ RK

What good is a bunch of passwords and SSIDs?...

For example, not exhaustion:

  • They can tell which SSIDs you used. The password is a form of non repudiation (you know the password and the SSID, then you cannot deny using that hotspot)

  • They can tell your circle of friends

  • They know which hotels, coffee shops, airports, etc. you visited

  • They can build relationship trees


...

JamesSeptember 28, 2013 1:05 PM

@Wael
Decent list. I'll add one
• They could frame you of a huge crime and get you to confess to something/plea bargain

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..