Researchers at the German University of Ulm have discovered that all Android devices up to version 2.3.3 posses a security hole in Android’s authentication protocol known as ClientLogin that leaves personal credentials vulnerable to attack. Should you panic? Should you set your Android device ablaze and run to the safe and secure arms of Apple, Microsoft, or RIM? No, you shouldn’t. It’s great that researchers have found such a security flaw because it raises awareness and will make Google rush to send out a fix. However, all mobile devices are easily open to attack because security over wireless airwaves is virtually nonexistent. No matter what phone you use, any hacker can easily grab your data over the air as you transmit, encrypted or not. Take a trip down memory lane to Defcon in the summer of 2010 where infosec consultant Chris Paget demonstrated how ridiculously easy it was to pull information from people’s phones, straight from the air. GSM uses a very outdated encryption method that has been cracked for quite some time now. If we take the entire population of human beings on earth, 67% are mobile subscribers or approximately 4.6 billion people. Out of those 4.6 billion almost 80% use some variant of GSM with their mobile phones. So roughly 3.7 billion people are chatting, texting, and emailing away on their devices with virtually no security from hackers. If you own an iPhone, you’re just as screwed as the 99% of Android users.
Google will definitely plug up this security loophole, as it isn’t the first time it’s had to deal with such a thing. However, no matter how many loopholes Google or any other mobile manufacturer patches, it won’t matter much unless the actual backbone of mobile telephony is overhauled with a better security system. Apple devices, for instance, tout that all data on the phone that gets transferred is encrypted, but in June 2010 over 100,000 iPads were hacked by taking advantage of the crappy GSM network security via a SIM card’s ICCD number (which is printed on the damn box your SIM card came in). With digital communication slowly distancing itself from the landlines and into the airwaves, you’d think the GSMA would get their act together and do a complete overhaul of their security backbone. Again, it’s nice that the researchers found a hole in Android, but patching it up is like putting a band-aid on a bullet hole. So if you see an unmarked van outside your house with antennae on its roof, it’s probably some hacker using a fake GSM base station to trick your phone into sending all of its transmissions to it instead of your carrier’s base station. Or it could have something to do with your residence having a red square on it at FamilyWatchdog.us.