Slashdot Mirror
Android Leaks Location Data Via Wi-Fi
Bismillah writes: The Preferred Network Offload feature in Android extends battery life, but it also leaks location data, according to the Electronic Frontier Foundation. What's more, the same flaw is found in Apple OS X and Windows 7. "This location history comes in the form of the names of wireless networks your phone has previously connected to. These frequently identify places you've been, including homes ('Tom’s Wi-Fi'), workplaces ('Company XYZ office net'), churches and political offices ('County Party HQ'), small businesses ('Toulouse Lautrec's house of ill-repute'), and travel destinations ('Tehran Airport wifi'). This data is arguably more dangerous than that leaked in previous location data scandals because it clearly denotes in human language places that you've spent enough time to use the Wi-Fi."
Also according to the article. Somehow iOS manages to have reasonable Wi-fi battery power without using this trick.
The headline also fails to mention that only manually configured networks are affected (or perhaps old versions of Android, I don't remember the details from the comments to the story about 6 months ago regarding the exact same "flaw" in iOS). This is why it is a BAD idea for security to turn off access point beacons - because if your access point is not sending out beacons to identify itself, then the clients need to send out connection requests blindly - wherever they are.
Its the scan of nearby networks bit where it needs to send out the WiFi networks it wants to connect to. That's why making your SSID hidden is a security anti-pattern. Tell the owners of the networks you connect to to stop doing it - anyone nearby can see all the clients making requests to join your network, so it isn't adding any security in your near vicinity, and elsewhere, others can still see your clients trying to connect to your network wherever they are, because to connect to hidden networks you have to go out and proactively look for them.
No, it doesn't "show you've spent enough time to use the wifi." For fun, grab an Android app called WifiCollector. On a 200-mile drive through three Eastern states a few weeks ago, it sniffed out over a thousand WAPs (most of them not open). Anyone using that to imply I was actually at any of those locations long enough to use the wifi is probably just about smart enough to work in a government intelligence job.
---------------------------------------
Rotate the pod, please, HAL....
It's marginally more relevant that Android does it. There are a lot more Android devices than portable Windows and OS X devices that actually move around. (That is, not even the full population of laptops is necessarily being moved from hotspot to hotspot; I know plenty of people that have laptops that stay at home and are just for portability around the house.)
Anyway, the headline is reasonably sensational, but not false, and the summary clarifies. I've seen a lot worse (bad headlines, worse summaries; etc.) pretty much everywhere that ever posts a headline.
To be a decent analogy, they'd need it affixed to something mobile, like their car, as well as to their house.
The point here is that the CLIENTS start broadcasting the string whenever they're not connected to Wifi. So his phone/laptop will be advertising where their owner lives whenever he's away from home with them.
If you still don't get it, it's like everyone in his family wearing a T-shirt that says "My home address is 123 Johnson Rd -- and if you're reading this, I'm probably not at home".
It makes burglary easy, and stalking as well.