Security

EFF finds Android leaking Wi-Fi history thanks to open source Wi-Fi stack

Android phones running 3.1 and newer versions of Google's mobile operating system are leaking Wi-Fi connection histories, the Electronic Frontier Foundation has discovered.

A bug in the wpa_supplicant Wi-Fi stack commonly used in Linux and some BSDs, is the source of recent versions of Android broadcasting Wi-Fi history when a device's screen is switched off.

The problem was discovered by the Electronic Frontier Foundation (EFF) who said in a blog post that a user's location history could be determined from Android's behaviour.

"This location history comes in the form of the names of wireless networks your phone has previously connected to," the EFF said. "These frequently identify places you've been, including homes ('Tom's Wi-Fi'), workplaces ('Company XYZ office net'), churches and political offices ('County Party HQ'), small businesses ('Toulouse Lautrec's house of ill-repute'), and travel destinations ('Tehran Airport wifi')."

The rights organisation said it considered the plain text of wireless names more dangerous than usual geolocation data, because it "clearly denotes in human language places that you've spent enough time to use the Wi-Fi".

The leaking of Wi-Fi SSID history was found to take place when a device was not connected to a Wi-Fi network, and the device was looking to connect to either a hidden network or a Wi-Fi network that the device had joined previously.

In tests conducted by the EFF, it was found up to fifteen of the networks stored in a device's history were transmitted. Among the devices found to be leaking were Google Nexus 4 and 5, HTC One, Motorola Droid 3+, and Samsung Galaxy Nexus -- a number of devices were tested with Cyanogenmod and were found to continue leaking. Devices that were found to not leak included Samsung Galaxy S3 and S4, HTC One Mini, and iPhone 4 or later.

Phones were not the only devices suffering from the issue, with all OS X laptops and many Windows 7 laptops exhibiting the same behaviour.

"Desktop OSes will need to be fixed, but because our laptops are not usually awake and scanning for networks as we walk around, locational history extraction from them requires considerably more luck or targeting," the EFF said.

The issues was traced back to the addition of the Preferred Network Offload feature of Android 3.1, which is designed to allow for Wi-Fi connections when a device screen is not on. The EFF found that the Wi-Fi SSD leaking did not occur when a device's screen was powered on.

After being informed of the issue, Google patched wpa_supplicant to remedy the situation, but the EFF warns with the fragmented state of Android, and the update process needed to negotiate handset and telco companies, that many prevent many Android users from receiving the fix.

Until a patch arrives, the EFF suggests users worried about their privacy set the "Keep Wi-Fi on during sleep" option, found under advanced Wi-Fi settings, to "Never". However, on a Motorola Droid 4 running Android 4.1.2, it was found that this workaround did not end the leaking.

A more thorough fix is to manually forget networks or to disable Wi-Fi entirely.

About

Some would say that it is a long way from software engineering to journalism, others would correctly argue that it is a mere 10 metres according to the floor plan.During his first five years with CBS Interactive, Chris started his journalistic advent...

5 comments
josmyth
josmyth

So it is not Android, but some of the devices running Android (and some devices not running Android). It would be nice to know which devices do or do not have this problem.

Gayle Edwards
Gayle Edwards

It is kind of sad to me when individuals brazenly state that a very few, apparently un-exploited, newly-discovered, theoretical, security flaws in systems (with demonstrably, generally, superior security, and an enviable track-record)... must... somehow... be no better than other products with thousands of, very publicly disclosed, exploited, and fully-documented security-flaws, software attack-vectors, and tens of thousands of known viruses and other pieces of malware (and which, time and again, -HAVE ACTUALLY- been very successfully, surreptitiously, compromised without any user-interaction, what-so-ever).

However, as to the specifics of this case... -IF- someone is monitoring the WiFi at a user's location... And, -IF- the user hasn't turned-off a feature (which is actually also present in "Windows" and "OS-X")... Then, theoretically, that third-party could see the WiFi-networks that the individual device was looking for. And, thereby, even more theoretically, exploit it. To me, that doesn't really seem to lift any platform (or, general design approach) above the others in this case.

So, I have to wonder as to the general-intelligence, and/or, integrity and motivation, of any individuals, making such, clearly, juvenile, and inflammatory, public-statements.

eye4bear
eye4bear

Sure now looks like open source is not more secure than any other software. So much for that load of hyped BS.

jdcnservices
jdcnservices

@eye4bear Says the one who did not read beyond the overly hyped and stupid headline.  That's why headline porn is turning news into nothing more than a bunch of gossip.  People who merely scan the headline will say, "Oh, open source is so much worse, I see!"  Whereas, buried in the article is ,"'Desktop OSes will need to be fixed, but because our laptops are not usually awake and scanning for networks as we walk around, locational history extraction from them requires considerably more luck or targeting,' the EFF said."


I suppose that according to them, laptops with either of those OSes have anything to worry about when going into a local coffeeshop to use the wifi there.

blakepiercy
blakepiercy

@eye4bear Anyone who says they have something that's secure is pretty much issuing a challenge.  Hackers will always be at least one step ahead.

Editor's Picks