Android and its password problems open doors for spies
The data stored on Google servers when the "Back up my data" option is selected on an Android device includes Wi-Fi passwords in plain text format. This is not in itself news, but businesses in particular may wish to reconsider its implications in the light of the latest surveillance scandal.
The backup function is, at least on Nexus devices, activated by default, with no password of any kind required for the service. In Google's favour, it has to be said that it does make it clear what users are letting themselves in for, with the description of this function stating "Back up ... Wi-Fi passwords ... to Google servers". Tests by The H's associates at heise Security showed that after resetting an Android phone to factory settings and then synchronising with a Google account, the device was immediately able to connect to a heise test network secured using WPA2. Anyone with access to a Google account therefore has access to its Wi-Fi passwords.
Given that Google maintains a database of Wi-Fi networks throughout the world for positioning purposes, this is a cause for concern in itself, as the backup means that it also has the passwords for these networks. In view of Google's generosity in sharing data with the NSA, this now looks even more troubling. After all, the NSA does not restrict itself to combating terrorism, but is also on the record as having been involved in industrial espionage.
The risk that Google or NSA staff will park in front of Joe Blogg's house and rummage around his home network may be marginal, but for businesses using single sign-on procedures, the Wi-Fi password is often the gateway to company email and to VPNs to the company network, etc. And European companies are unlikely to be keen on the idea of this backup service, activated by default, allowing US secret services to access their networks with little effort.
Why a company as security-conscious as Google should have suffered such as lapse is somewhat inexplicable. Google Chrome offers the option of protecting web passwords stored using its sync function with a password known only to the user.
Apple shows that a more sensitive approach is possible when backing up security-critical data for users. The iPhone stores Wi-Fi and other passwords in a "keychain". This keychain is also backed up to the iCloud, but it is encrypted with a key which is hardwired into the device and cannot be read off it. Apple promises its users that neither Apple nor its suppliers have a copy of the 256-bit AES key. Consequently passwords can only be restored to the same device from which they were made, as only this device is able to decrypt the encrypted keychain.
To migrate a backup, including all of the passwords, to another device, users have to make a local password-protected backup, the password for which also remains unknown to Apple. A quick test by heise Security confirmed that this procedure, as described in iOS security documentation, is correct, at least in as much as that the Wi-Fi passwords were not present after restoring to a second device from an iCloud backup.