Backed up and gone...
Remember how easy it is to lose your passwords for web applications (“Don’t let Chrome expose your passwords”)? This time we go bigger and discuss how easy it is to lose the passwords for every wireless access point you’ve visited. You just need to be running Android on your smartphone…
_image.jpg?subformat=icon)
Apparently, Google was already capturing wireless access points during its Streetview campaign but was forced to stop this after complaints from data protection advocates. It was done “mistakenly”.
With Google’s Android now dominating the smartphone market, they’re back to their old tricks. As a useful feature, Android (version 2.2 and higher) stores the identifiers (“SSIDs”) of wireless access points and credentials by default, so that you do not have to reissue them on every connection. The interesting part happens when the smartphone is automatically backed up to Google's data centres: the SSIDs and the associated passwords are not encrypted once they are there. Thus, Google has full access to them and could, potentially, produce a “free access map” to many wireless access points worldwide. Of course, this would help some anonymous government agencies. Along with Wi-Fi passwords, your keychain is also automatically synced; presumably this includes your CERN passwords as well as your private ones. Not to mention all your other data (photos, emails, videos, apps, etc.) that “vaporizes” once it is backed up in the Google cloud (see our Bulletin article on this subject: "Send your data into the cloud and make it… vaporize").
However, this does not make an Apple Mac or iPhone safer. Once iCloud has been enabled, your device is regularly mirroring all information to Apple's computer centres: Apps, Music and Films might be fine as you most likely have bought them via the iTunes store. But what about your calendar entries, e-mails, photos and films? It is up to Apple’s discretion whether to analyse this data and use it for advertising purposes (or send it to the aforementioned agencies). Worse, while today you can still disable “iCloud” functionality (iOS -> Settings -> General -> Usage), in the future this might not be possible. Discussions have emerged about whether on “OS X Mavericks there is no longer a way to sync any i-device except through the cloud”.
In more blunt terms, this would imply that iOS users are forced to provide all their data (or give up on iPhone). Furthermore, Apple is not the only one targeting your data. LinkedIn recently published an app that diverts all your emails through their central servers for data mining. With the NSA and GCHQ spying on us from one side, and big companies like Apple and Google doing the same from the other, what’s left but to sigh, give up and let it happen? Smash your phone and go back to the communication stone age? Rally and hope that politicians tackle the problem? Be less paranoid than the security guys at CERN? We are very curious about your opinion!
Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.
If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.
Access the entire collection of Computer Security articles here.
