99% of Android devices vulnerable to authentication attack
By this point, just about everyone knows how risky connecting to an unsecured wireless access point can be. Unfortunately, many public Wi-Fi hotspots forego security in exchange for convenience, and that ultimately leaves users exposed to attacks. Based on new research from the University of Ulm in Germany, Android users appear to be in even more danger than those on other platforms.
A weakness in Android versions 2.3.3 and earlier leaves authentication tokens stored on devices for a full two weeks after the initial login is made to services like Google Calendar, Facebook, and Twitter. An attacker can then launch an impersonation attack and interecept the token when a subsequent request is made. While the hole has been plugged in Android 2.3.4 and the tablet-friendly Android 3, most users remain unpatched (the overwhelming majority are still running Android 2.2). Worse still, even though the token vulnerability has been addressed, Picasa synchronization still puts users at risk — by transmitting data using unencrypted channels.
The Android team is currently working on a fix for this as well, but that means almost 99% of Android devices in use are at risk right now. As the University team told The Register, it’s not overly difficult to ensnare users with this type of attack. All it takes is setting up an unencrypted access point and broadcasting a common, familiar SSID — to which devices will automatically connect if they’ve done so before. Apps which utilize Android’s ClientLogin protocol and are running in the background would then immediate try to authenticate, enabling the attacker to harvest tokens.
A fix should be fairly simple: only allow ClientLogin to transmit data over HTTPS, for example, ought to be sufficient. Whether that will happen or not remains to be seen, so the best way to protect yourself right now is to completely avoid using unsecured wireless connections.
More at The Register
By SinEater in forum Guides
Last Post: September 29th, 2012, 16:39
Last Post: April 28th, 2011, 17:30
By Mad Monk in forum Strategy Discussions
Last Post: December 6th, 2009, 22:42
By ScS :: XTR in forum Technical Support
Last Post: June 5th, 2008, 16:44
By Pyro.Dynamics- in forum DotA Talk
Last Post: April 14th, 2008, 20:57
Tags for this Thread
Page generated in 0.14622 seconds with 14 queries.