WiFi can cause all kinds of problems. For airlines it leads to customer support nightmares in which every other tweet is a complaint about less-than-perfect connections; for coffee shops it leads to the establishment of virtual offices by freeloading reporters willing to work anywhere with an Internet connection and some form of caffeine. But perhaps the biggest problem is the fact that the way people connect to WiFi networks leaves their personal information exposed.
The latest example of this problem is the revelation that Android smartphones inadvertently share their owners’ location history by broadcasting every WiFi network they’ve accessed with the device in an effort to conserve battery life. This flaw affects newer Android devices, and the only ways to prevent it from broadcasting the networks to which it’s been connected before is to disable the feature or force it to “forget” old WiFi networks after it’s been disconnected.
The Daily Dot explains how sharing the names of these WiFi networks can undermine privacy:
Depending on the names of the Wi-Fi networks you’ve connected to, this information could reveal locations you often visit—like “Tim’s home Wi-Fi” or “Caribou coffee Internet.” That data can be used to learn a user’s daily routine, determine when they’re away from home, or a variety of other worrisome details.
Google told the Electronic Frontier Foundation that it is “investigating what changes are appropriate for a future release” of Android — it’s worried that nixing the feature entirely might “affect user connectivity to hidden access points” — and until it’s fixed there will be a fundamental flaw in the way Android smartphones connect to WiFi networks. Consumers will have to choose between the convenience of having the smartphone search for WiFi networks and the security of preventing the device from sharing every WiFi network they’ve ever used.
Yet Google isn’t the only company to accidentally introduce a security flaw into its products for the sake of convenience. Ars Technica reported in June that attackers can spoof WiFi networks to access someone’s personal information, and that the ubiquity of free networks from AT&T and Comcast makes it easier for those attackers to infiltrate their target’s smartphone:
This is not to say that AT&T’s and Xfinity’s networks are insecure in themselves. They are just common enough to give someone with evil in mind a way to cast a wide net for potential victims over Wi-Fi. The same tools I used to spoof Xfinity could be set to automatically respond to a victim’s phone as any Wi-Fi access point they’ve trusted. That’s because of the probe requests generated by smartphones and Wi-Fi—when you turn on your phone’s Wi-Fi adapter, it will seek out any network you’ve ever connected to that it was not told to forget.
Neither of these problems were introduced on purpose. They’re accidental byproducts of features meant to help people connect to WiFi networks they know and trust (in Google’s case) or access WiFi networks while traveling (in AT&T’s and Comcast’s) and remove some of the hassle of connecting to WiFi networks the old-fashioned way. But that doesn’t change the fact that consumers are trading their security for the sake of convenience — and that unlike their decision not to use a passcode on their smartphone or to use the same password for every site they visit, they’re doing so without knowing that they’re putting themselves at risk.
[illustration by Brad Jonas for Pando]