An Accepted Solution is available for this post. Jump to solution.
Android Exploit Credential Theft
mgerbasio
Enthusiast - Level 3
‎05-17-2011 03:17 PM

Hi,

I'm using a Droid X and read the following article:

 

http://www.bgr.com/2011/05/17/99-of-android-handsets-vulnerable-to-account-credential-theft/

 

This seems like a fairly easy exploit to allow sensitive information to be stolen from out phones. Can Verizon tell us (1) what we can do to prevent this exploit and (2) when a patch/upgrade will be issued with the Google patch that prevents this exploit? Thanks.

Labels (1)
Labels
0 Likes
Reply
1 Solution

Correct answers
An Accepted Solution is available for this post. Jump to solution.
Re: Android Exploit Credential Theft
Synycalwon
Contributor - Level 1
‎05-17-2011 03:42 PM

According to the original article on the Register (http://www.theregister.co.uk/2011/05/16/android_impersonation_attacks/):

 

"The attacks can only be carried out when the devices are using unsecured networks, such as those offered at Wi-Fi hotspots."

 

This is why I NEVER use Wi-Fi hotspots whether it's my laptop or smartphone! I only trust my own network (hardwired or Wi-Fi). The ONLY time I could ever see using one of these "unsecured" networks would be on a laptop only for browsing things on the web that don't require credentials!

View solution in original post

0 Likes
Reply
5 Replies
An Accepted Solution is available for this post. Jump to solution.
Re: Android Exploit Credential Theft
Synycalwon
Contributor - Level 1
‎05-17-2011 03:42 PM

According to the original article on the Register (http://www.theregister.co.uk/2011/05/16/android_impersonation_attacks/):

 

"The attacks can only be carried out when the devices are using unsecured networks, such as those offered at Wi-Fi hotspots."

 

This is why I NEVER use Wi-Fi hotspots whether it's my laptop or smartphone! I only trust my own network (hardwired or Wi-Fi). The ONLY time I could ever see using one of these "unsecured" networks would be on a laptop only for browsing things on the web that don't require credentials!

0 Likes
Reply
An Accepted Solution is available for this post. Jump to solution.
Re: Android Exploit Credential Theft
mgerbasio
Enthusiast - Level 3
‎05-17-2011 04:21 PM

Well that sounds like a good idea, but what about when you leave wifi on for LBS? What about in a hotel where the wifi hotspot may be encrypted but someone sets up one with a duplicate  name and password (as these are typically generic)? A lot of times I'm out of cell range and need to connect to a wifi hotspot (in buildings), if I move to a closer unsecured hotspot and my phone switches to another network will I know it; is there any way I can avoid this issue? 

 

It makes me much happier that I have unlimited 3G, AT&T users that have a cap are encourged by AT&T to use wifi are probably going to have the hardest time with this issue.

 

I'd really like to see Google, Verizon or the manufactures give us some guidance other than, "never turn on your wifi".

0 Likes
Reply
An Accepted Solution is available for this post. Jump to solution.
Re: Android Exploit Credential Theft
Synycalwon
Contributor - Level 1
‎05-17-2011 04:46 PM

I'm not saying never turn on your Wi-Fi or that Google and Verizon shouldn't get a fix out. But, rather this is another reminder of the potential issues when using public networks, in particular Wi-Fi.

 

As an example, while I trust my own home Wi-Fi network to an extent (it's locked down as much as possible), I NEVER use it for anything of sensitive nature (ex. online banking), but instead always use my hardwired network. Ditto for my smartphone, I would NEVER use it for highly sensitive things, even over the cell carrier's data network. You just can't control where that wireless signal goes and who may be able to sniff it. At least with hardwired, someone would have to physically connect to it in order to even attempt to sniff it. It's always a trade off between security and convenience. I choose security, but that's just me (highly cynical and somewhat paranoid :smileywink:)

0 Likes
Reply
An Accepted Solution is available for this post. Jump to solution.
Re: Android Exploit Credential Theft
rel1sh
Newbie
‎05-19-2011 09:29 PM

There is a bit more in-depth info on this issue here, as well as a proof of concept and technical details:

 

http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html

 

Although this relies on using open/unencrypted WiFi connections, the exploit has already been fixed in later versions of the Android OS (the vulnerabilities in Calendar and Contacts sync in 2.2 have both been fixed in 2.3.4). Does Verizon provide a schedule of planned updates to the OS?

0 Likes
Reply
An Accepted Solution is available for this post. Jump to solution.
Re: Android Exploit Credential Theft
Ann154
Community Leader
Community Leader
‎05-19-2011 10:51 PM
rel1sh wrote: "Does Verizon provide a schedule of planned updates to the OS?"

In the past year that I have followed android information, I have never heard of them doing a master list. Some individual manufacturers have said a general time frame for an update. However they usually late and miss the end of the quarter by at least a month.

If there is one, oh what a gold mine.

I'm most definitely NOT a VZW employee. If a post answered your question, please mark it as the answer.

0 Likes
Reply