Slashdot Mirror
Google Storing WLAN Passwords In the Clear
First time accepted submitter husemann writes "Micah Lee from the EFF filed a bug report about Google storing all your WLAN passwords on their application settings backup service without allowing you to encrypt them. So far it's not known whether the passwords are stored encrypted at rest, but just the fact that Google can read them (and disclose them if forced by 'law') is a bit surprising, too put it nicely. Already one German university is concerned enough about this 'feature' that they issued a warning to their users."
I think it's worth mentioning one other side-effect of this "send everything" backup policy: I basically cannot safely guest any visitor who has an Android phone onto my secured WiFi network without their phone sending my WiFi password straight to Google.
This puts me in the awkward predicament of denying visitors WiFi access, or constantly changing the guest password on every device I have that uses it.
If you're reading, Google folks, this is fricking annoying.
While not storing cleartext, they do store your WiFi passwords in a reversible encryption. If using WPA I think they should just store the ssid:phrase hash instead of keeping the phrase. WEP can't be helped... Anyhow, Apple stores all passwords in their keychain and this is easily snooped. Jailbroken iOS devices can get "WiFiPass" to reveal all the AP & passwords its ever connected to. It's handy when I pass my device to an AP owner to "privately" enter their password but I want to associate more devices, I just load that program and see what it was and do it myself.
from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
to 45 2F 6E 40 3C DF 10 71 4E 41 DF AA 25 7D 31 3F
Google isn't the problem. The American government is. Which means if you want to be safe, stay away from USA and don't trust any companies based there.
If you happen to live there already, maybe it is about time you let the government know, you are not satisfied with their work.
Do you care about the security of your wireless mouse?
Wrong. It could be encrypted with a key that only the user knew. With proper key choices Google would have no way of decrypting
I know some people like to believe that if Google, the NSA, the Chinese or some other group really really wanted to, they could decrypt any encrypted information, even without the password.
This is false. It is still infeasible for anyone to crack Triple DES info encrypted with a reasonable choice of keys.
And if there is one thing that history has taught us, it's that if they're giving your passwords to the government, then they're also selling it to the highest bidder.
I thought about that with the Edward Snowden/Booz Allen stuff. Now Booz Allen is a firm that, besides the government, has a lot of private clients that hire them to do the data upskirting. If they're collecting stuff for the NSA, how much are you prepared to trust that none of that stuff is also going to their private clients. I know if I was some evil company looking for your personal data, and Booz Allen was my consultant, I'd be expecting a little "benefit" from their relationship to the NSA, know what I mean?
The ugliest part of the corporate/government intrusion into our personal lives and information is the fact that so much of it is being privatized to companies who also work for other companies and maybe other individuals who all have their own reasons for wanting your shit.
You are welcome on my lawn.
okay...
dafuq?
Look, this is a password that is literally only useful within a few hundred feet of your house. Assuming that you're not re-using it for anything else, what exactly is your exploitation story, here? If I tell you that my wifi password is "frobulate" (it really is!), what are you proposing that you can do with that information, given that I'm some anonymous asshole on the internet?