A bug in the wpa_supplicant Wi-Fi stack commonly used in Linux and some BSDs, is the source of recent versions of Android broadcasting Wi-Fi history when a device's screen is switched off.
The problem was discovered by the Electronic Frontier Foundation (EFF) who said in a blog post that a user's location history could be determined from Android's behaviour.
"This location history comes in the form of the names of wireless networks your phone has previously connected to," the EFF said. "These frequently identify places you've been, including homes ('Tom's Wi-Fi'), workplaces ('Company XYZ office net'), churches and political offices ('County Party HQ'), small businesses ('Toulouse Lautrec's house of ill-repute'), and travel destinations ('Tehran Airport wifi')."
The rights organisation said it considered the plain text of wireless names more dangerous than usual geolocation data, because it "clearly denotes in human language places that you've spent enough time to use the Wi-Fi".
The leaking of Wi-Fi SSID history was found to take place when a device was not connected to a Wi-Fi network, and the device was looking to connect to either a hidden network or a Wi-Fi network that the device had joined previously.
In tests conducted by the EFF, it was found up to fifteen of the networks stored in a device's history were transmitted. Among the devices found to be leaking were Google Nexus 4 and 5, HTC One, Motorola Droid 3+, and Samsung Galaxy Nexus — a number of devices were tested with Cyanogenmod and were found to continue leaking. Devices that were found to not leak included Samsung Galaxy S3 and S4, HTC One Mini, and iPhone 4 or later.
Phones were not the only devices suffering from the issue, with all OS X laptops and many Windows 7 laptops exhibiting the same behaviour.
"Desktop OSes will need to be fixed, but because our laptops are not usually awake and scanning for networks as we walk around, locational history extraction from them requires considerably more luck or targeting," the EFF said.
The issues was traced back to the addition of the Preferred Network Offload feature of Android 3.1, which is designed to allow for Wi-Fi connections when a device screen is not on. The EFF found that the Wi-Fi SSD leaking did not occur when a device's screen was powered on.
After being informed of the issue, Google patched wpa_supplicant to remedy the situation, but the EFF warns with the fragmented state of Android, and the update process needed to negotiate handset and telco companies, that many prevent many Android users from receiving the fix.
Until a patch arrives, the EFF suggests users worried about their privacy set the "Keep Wi-Fi on during sleep" option, found under advanced Wi-Fi settings, to "Never". However, on a Motorola Droid 4 running Android 4.1.2, it was found that this workaround did not end the leaking.
A more thorough fix is to manually forget networks or to disable Wi-Fi entirely.
Some would say that it is a long way from software engineering to journalism, others would correctly argue that it is a mere 10 metres according to the floor plan.During his first five years with CBS Interactive, Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining the company as a programmer.Leaving CBS Interactive in 2010 to follow his deep desire to study the snowdrifts and culinary delights of Canada, Chris based himself in Vancouver and paid for his new snowboarding and poutine cravings as a programmer for a lifestyle gaming startup.Chris returns to CBS in 2011 as the Editor of TechRepublic Australia determined to meld together his programming and journalistic tendencies once and for all.In his free time, Chris is often seen yelling at different operating systems for their own unique failures, avoiding the dreaded tech support calls from relatives, and conducting extensive studies of internets — he claims he once read an entire one.