Google Knows Almost All WiFi Passwords In The World

July 6, 2015 mitch tanenbaum Leave a comment

Yesterday, I beat up Apple. Today, I am beating up Google. I am an equal opportunity beater-upper.

When you buy an Android phone, it backs your junk to the cloud unless you go out of your way to tell it not to. That way if you lose your phone or buy a new one, all your junk can be restored by magic. If you are an Android user you may have noticed that when you buy a new phone and log in to Google, all your settings are restored, your apps downloaded, etc.

It turns out based on experimentation that this is stored in a way that allows Google to read those passwords.

OK, Now put on your tin foil hat.

Not only does Google have your home WiFi password, but also every other password that you have. This includes both your password for Starbucks WiFi as well as your office WiFi.

Multiply that by a 150-200 million new Android phones sold per quarter and that is a lot of WiFi passwords.

If the NSA asks Google for those passwords, they will give them up. They really don’t have a choice.

Although the option to back up your data to the cloud is on by default, you can turn it off. Of course, that means you are responsible for backing up your data.

However, if you gave a friend your WiFi password and your friend backs up his data to the cloud, Google still has it.

And when ARS asked Google if they could read your passwords, they avoided answering the question, meaning the answer is yes. If they could not, they would have said so. Here is their response:

Update: A Google spokesperson said in a conversation with Ars today that backup data is encrypted in transit from devices, and provided the following prepared statement from Google on the issue: “Our optional ‘Backup my data’ feature makes it easier to switch to a new Android device by using your Google Account and password to restore some of your previous settings. This helps you avoid the hassle of setting up a new device from scratch. At any point, you can disable this feature, which will cause data to be erased. This data is encrypted in transit, accessible only when the user has an authenticated connection to Google and stored at Google data centers, which have strong protections against digital and physical attacks.”

Okay, you can take off your tin foil hat now.

By the way, you can replace Google with Apple every where it appears in this article. Sorry.

Source material for this article came from Computerworld and ARS Technica.