A new article published on The Register reports that 99% of Android devices are vulnerable to an attack that gives the hacker access to the digital credentials that the devices owner uses to access their calendar and other sensitive information stored on Google’s servers. It turns out that the vulnerability stems from an improper implementation of the protocol known as ClientLogin. In Android versions 2.3.3 and earlier, this implementation sends an authentication token in clear text and since most tokens are good for 14 days, this gives a hacker a window to gain unauthorized access to accounts.
The method used to steal the tokens is fairly common. A hacker sets up a WiFi network as an evil twin of well-known networks, such as “T-Mobile”, “attwifi”, or “starbucks”. Device owners who have their devices configured to automatically log into these networks (usually a bad idea) will connect to these evil networks and begin connecting to their favorite services (like Google’s calendar synch). The device then sends the authorization token and it is captured by the hacker behind the evil twin network.
If you are an Android owner, you can protect yourself from these hacks by:
- Upgrading your Android Device, if possible, to version 2.3.4 or later.
- Removing the automatic connection to well-known networks.
- Immediately begin using encrypted (https) channels to access your services.