Published May 18, 2011
Nearly every smartphone running the Google Android platform today is readily vulnerable to data snoops and cyberthieves, who can easily pluck information from them over ordinary Wi-Fi networks, German security experts discovered.
And as consumers increasingly rely upon their phones for banking, shopping, and storing photos, phone numbers and addresses of friends and relatives, flaws like this only underscore the lack of security on today's hottest gadgets.
"The reality is, you're carrying around a desktop computer in your pocket -- but there's no security like there is on computers," explained Dave Aitel, president of security firm Immunity Inc. and a former computer scientist for the National Security Agency.
And no smartphone comes with antivirus software, experts noted.
Android-based smartphones use security tokens to grant access to only certain bits of information on the phone, Aitel explained, such as the Calendar or Google Reader. The token for Gmail is encrypted; all other tokens are unencrypted, he said -- and they're incredibly easy to steal.
"The tokens are essentially keys that only unlock part of the house," Aitel told FoxNews.com. And because they're passed to Google servers unencrypted, a cybersnoop could easily swipe one while a consumer is surfing the web in Starbucks.
The crook could then use the token to log in to his Google Calendar with complete access.
The “authtokens” last as long as two weeks, explained Florian Schaub, one of the computer scientists with Ulm University in Germany who identified the security problem. "An attacker can comfortably access these tokens" and then use them at his leisure, he told FoxNews.com.
Schaub said he and his colleagues were stunned that no one had uncovered the problem before.
"We were really surprised. Were we really the first ones to find this?" he wondered. The finding was even more alarming given that Google offers more secure ways to access its services.
"Google offers more secure ways of interacting with its APIs," Schaub told FoxNews.com -- it just didn't choose to use them.
Anup Ghosh, founder of security firm Invincea, called it "trivial" for a hacker to take advantage of the exploit.
"Is it hard to do? No, it's not hard to do," he told FoxNews.com, citing the hacker tool FireSheep, which at a glance reveals to a cybersnoop which consumers are browsing the Facebook platform through open, unencrypted connections. Similar tools could readily be built, he explained.
The problem doesn't affect Apple's iPhones, experts noted, which don't rely upon communication with Web-based servers as heavily as Google's platform does.
Google claims the problem is fixed in the latest version of Android, version 2.3.4 -- but 99.7 percent of all Android devices are running older versions, the researchers found. On Wednesday a Google spokesman told FoxNews.com it will soon release a patch to the company's servers that will fix the problem for all its phones.
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," a company spokesman said. "This fix requires no action from users and will roll out globally over the next few days."
The company's quick action only underscores the larger problem: Until an individual smartphone is patched by the phone's manufacturer or carrier, that phone will be vulnerable attacks. Security is a large problem with today's smartphones: Who maintains the operating system and fixes flaws?
"There are as many different versions of Android as there are handsets or tablets," Ghosh noted. And even when there's an update for a security hole, a phone will only get it if the carrier supports that update -- or Google changes how its servers operate.
"It's getting very fractured, and I think it's going to come back and bite them," he told FoxNews.com.
Aitel agreed, noting that individual consumers aren't able to upgrade their own phones with Google's latest operating system patches.
"And this is true for all Android vulnerabilities," he told FoxNews.com.
Google has recently unveiled a program to address fragmentation in the Android phone market, but adoption of that platform hinges upon the cell phone carriers, a group traditionally slow to adopt such technologies.
"I'm sure in 2015, that'll be something that we see," Aitel joked. But in the meantime, as the market for smartphones increases, this type of issue will only get worse, Anup said.
"People are just beginning to exploit these phones," he told FoxNews.com. And this latest security flaw is only the beginning.
"You're going to see a steady drip of these," he said.