Report: 99 percent of Android phones vulnerable to “impersonation attacks”
Researchers from the Germany’s University of Ulm have discovered that the vast majority of devices running Google’s Android operating system are vulnerable to “impersonation” attacks. These vulnerabilities allow attackers to steal credentials used to access calendars, contacts, and other data stored on Google’s servers.
The culprit of the vulnerability is an improper implementation of an authentication protocol known as ClientLogin. The implementation is limited to Android versions 2.3.3 and earlier.
When a user logs in, they submit valid credentials for apps like Google Calendar or Contacts, and an authentication token is sent in cleartext, providing attackers with an opening to retrieve the authentication token, which is valid for 14 days.
Researchers called it an “impersonation attack” and found that not only was it possible, but every easy to do. So far it seems these vulnerabilities are unique to unencrypted networks, like public hotspots at coffee shops. From their report:
“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, Starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”
The solution? For developers who use ClientLogin to encrypt such traffic, or for Google to beef up its security by shortening the time authTokens remain valid. Google could even limit ClientLogin requests to secure connections. Google says they plan to work on getting updates out to carriers quicker (many Verizon users are still stuck on 2.2.2).
A spokesperson from Verizon gave the Register some sage advice, advising that users “should consider using their devices only on secured networks.”