Wednesday, May 18, 2011

Why the last Android security flaw is kinda... overrated.

As I read today another headline that was like "ZOMG! Android leaks data".

Before I start with the real thing, let's explore together what this hype is all about...
The University of Ulm published information about a security-flaw in older Gingerbread builds and versions lower than that (Froyo, Eclair and blah).

Basically you have to be logged into a public WIFI (or a WIFI that has been breached or belongs to the attacker) and have an older Android version... If that's the case, someone who is logged into the same WiFi as you, might in theory be able to intercept a token that is responsible for authorizing with Google services and use it to impersonate you, messing with your data.

So, how likely is this to happen? Uhm... If you haven't pissed of some nerd that is possibly also a troll, you're safe, I guess.
So what data might be in danger?

At the moment it is known that Calendar Sync, Contacts Sync and Picasa Sync are vulnerable to attacks.

Possible benefits of this hack:
- Gaining information about a certain individual
- Harvesting telephone numbers and email addresses to sell them to marketers / spammers
- Gaining access to pics about Aunt Erna's birthday party

Effort to pull this off:
- Good knowledge about the Android system, the Sync-process and networking in general
- Enough time on location to harvest enough viable data
- Setting up a hotspot, compromising a hotspot or using a public hotspot
- Coding software that automates the spoofing and harvesting process
- Possession of suitable hardware

Crackers (the mean form of hackers) won't even think about exploiting this path, because it is simply not profitable to pull that off. You won't gain information that is valuable enough to justify the effort... no credit card data, no social insurance numbers... nothing. Email addresses and phone numbers are way too cheap from other sources and way easier to harvest in large amounts from the web or compromised servers.
The most likely reason for this to happen is to try out if it really works, or just for fun.
Even if you might be stupid enough to save your credit card data in an appointment on Google Calendar, a clever cracker would never use it, because it would be way too easy to trace the fraudulent transaction back to him if the origin isn't cloaked by reselling the data.

Crackers concentrate on webservers which host more precious information (see the Playstation Network) in a way larger amount, but you'll never hear the media talk about these possibilities. No one thought that a large company like Sony would be so easy to compromise. They had stored all the data way too accessible in one combined database, where it would make much more sense to fragment the data until it becomes unusable without knowing how to put it back together.

The media basically just spreads a little panic because they don't have not enough skill to look into possible large breaches on their own.

So, update your Android version or don't piss off angrynerds. That's all.


No comments:

Post a Comment