The Electronic Frontier Foundation (EFF) claims to have discovered a severe privacy flaw in devices running Google's Android operating system which can allow an attacker within Wi-Fi range to retrieve a list of the last fifteen wireless networks to which the device was connected.
The EFF has warned that selected devices running Android 3.1 Honeycomb and above leak a list of previously-connected Wi-Fi networks, a serious breach of privacy.
The privacy group has published the results of testing which it claims shows that Google's own-brand Nexus hardware plus selected third-party devices transmit up to fifteen Wi-Fi network names to any nearby Wi-Fi access point - even when the handset is disassociated and the display switched off.
'These [network names] frequently identify places you've been, including homes (“Tom’s Wi-Fi”), workplaces (“Company XYZ office net”), churches and political offices (“County Party HQ”), small businesses (“Toulouse Lautrec's house of ill-repute”), and travel destinations (“Tehran Airport wifi”),
' the group claims in a blog post
written by Peter Eckersley and Jeremy Gillula. 'This data is arguably more dangerous than that leaked in previous location data scandals because it clearly denotes in human language places that you've spent enough time to use the Wi-Fi. Normally eavesdroppers would need to spend some effort extracting this sort of information from the latitude/longitude history typically discussed in location privacy analysis. But even when networks seem less identifiable, there are ways to look them up.
The group's research suggests that the behaviour causing the leak was added in Android 4.1 Honeycomb as part of a power-saving mode called Preferred Network Offload. Its research shows that the flaw is present in devices including the Google Nexus 4 and Nexus 5 handsets using both official and the CyanogenMod third-party firmware files, the HTC One, the Motorola Droid 3 and Droid 4 handsets, and the Samsung Galaxy Nexus. Interestingly, the Samsung Galaxy Mini, Galaxy S3 and Galaxy S5 were not found to leak network names.
In a statement to the EFF, Google confirmed the flaw but warned that resolving the issue could be troublesome. 'Since changes to this behaviour would potentially affect user connectivity to hidden access points,
' a spokesperson explained, 'we are still investigating what changes are appropriate for a future release
.' Later that day, however, a Google engineer posted a patch to the wpa_supplicant open-source project - used by Android to handle wireless network connectivity - which resolves the flaw, suggesting that a future Android release will include a fix.
For now, the EFF is advising users to disable the 'Keep Wi-Fi on during sleep' mode of their handsets, but warns that data can still be leaked if a connection to an access point is interrupted and that at least one handset on test - a Motorola Droid 4 running Android 4.1.2 - continued to leak the data even with sleep connectivity disabled.