[AusNOG] Android storing SSID and WPA encryption keys
kauer at biplane.com.au
Thu Jun 16 21:36:16 EST 2011
On Thu, 2011-06-16 at 11:02 +0000, Bevan Slattery wrote:
> this stage] it would appear that many personal and enterprise WPA keys
> now get stored in Google's cloud most likely without their knowledge
> or consent. Am I the only one that thinks there's something wrong
> with that concept?
I have no problem with the storage. I would not trust Google with
unencrypted data myself, but that's a call others obviously make
differently. But I DO have a problem with Google making such data
available to others without the owner's consent.
But does Google make them available to others? That blogger's story
simply doesn't ring true - he's forgotten something somewhere, unless
(as one commenter pointed out) the Android phone acquired the keys via a
back channel or had them stored locally.
The latter seems extraordinarily unlikely to me. The list the blogger
mentioned was not nearly long enough to be some kind of global
mega-list, and how would the shorter list, personally relevant to him,
have been generated and stored on the phone? Nope, I don't think so.
His android seemed to acquire keys relevant to him, personally. That
makes me think that maybe he was just getting keys fed back to him that
he had already acquired legitimately and stored in the cloud. That is,
his keys were not going to others, and others' keys were not being given
to him. That would be way less of a problem.
But the question still remains - how did the phone acquire anything when
it was not connected to the 'Net? Given that it's a phone, there would
seem to be several possibilities - SMS, for example.
Karl Auer (kauer at biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/kauer/ +61-428-957160 (mob)
GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: This is a digitally signed message part
More information about the AusNOG