Android: Google Silently Storing WiFi Security Data
April 21, 2011
When I bought a Motorola Xoom I noticed a ‘feature’ that consumers might appreciate but companies should be aware of, namely that Google apparently stores the wireless access point information including SSIDs and passwords from Android devices within the user’s Google account.
After I brought my new Xoom home, I realized it connected to my home wifi without prompting for a passphrase. This prompted me to investigate further. Sure enough, there on this brand new Honeycomb tablet were all the wifi networks I utilize including WPA2 passphrases. This tells me that my Android 2.2 phone has likely been sending this data up to Google all along but that it took seeing it on the new tablet to recognize this fact.
Apparently the setting on the phone to “Back up my data” (under Privacy settings) includes this information even though the description only says “Back up my settings and other application data.” I certainly did not recognize that my settings would include the security information for these wireless environments. It would be far better if Google had broken out the security information as a separate item that could be granularly backed up or not.
In a corporate environment this could be a real problem. I see two issues pop to the surface. First, if an attacker were to break into an employee’s Gmail account, they could potentially extract the keys to access your corporate wireless network as that employee. Second, when you terminate an employee, even if you recover their phone (should it be a company provided asset) they could have continued access to your wireless environment from a personal phone if their first one was synced with a personal Gmail account they continue to possess. Either of these scenarios is quite possible and potentially common, particularly in the SMB space.
Luckily, the defense against both of the above scenarios is the same. Wireless networks should absolutely be segmented, insulated, and monitored. Further, it may be appropriate to provide a second, internet-only wireless network for devices like smartphones to get outbound access while not being able to communicate at all with local IT resources. Finally, the access to the wireless network should have some sort of changing access method, whether that is monthly changes of a general passphrase or individual certificates that can be revoked when appropriate.
In a perfect world the vendor (Google) would provide the relevant security controls to allow users to control this type of behavior, and even better, they would enable them by default. Right now though you need to be aware and watch out for yourself.
Kerio Connect
April 19, 2011
Kerio Connect is an excellent Exchange server alternative, particularly in the SMB arena. The system’s Exchange compatibility is comprehensive, including Outlook support and ActiveSync support to keep your smartphones and tablets productive.
Connect offers a compelling value for the cost. Not only is the license very reasonably priced, the installation and maintenance of the system will cost a fraction of deploying a similar Exchange 2010 system.
I have already converted my email system to Connect, including Outlook 2010 and multiple Android clients. One of the clients I provide network management for has also already dropped their old email platform and moved to Connect.
Contact me today to find out how to get Efficient IT with Kerio Connect.
Tampa Area VMUG Meeting April 7
April 18, 2011
I recently attended the Tampa Area VMWare User Group 2011 spring meeting held April 7th at TechData in Clearwater. There were valuable user presentations from the Hillsborough County Tax Collector’s office and Tampa Bay Water on their virtualization implementations. Symantec and Wyse presented vendor segments. I found the Wyse live demo of their thin clients in a View environment to be very useful.
You can pick up all the presentations from the VMWare Communities.