Storm brewing as security experts reckon that Google knows nearly every Wi-Fi password on the planet

by: Gary SimsSeptember 16, 2013

Google storing Wi-Fi passwordsIf you look to the Android security horizon you will see a storm brewing about Wi-Fi passwords. It has been brewing for a while and it may soon turn into a hurricane. Back in 2011 blogger Donovan Colbert discovered that when he configured his Google account on his brand new Android tablet the device magically knew all the Wi-Fi passwords he had used on other Android devices. Further still Android automatically connected the tablet to the nearest network, which happened to be at his place of work.

It took a while, plus the Snowden-NSA scandal, for people to start to realize what this meant and during this summer trouble has started for Google. It seems to have begun with the University of Passau in Germany who told its students and staff to turn off Android backups because Wi-Fi passwords were sent to a third party (Google). Shortly afterwards the online community started to realize the extent of the problem. Because Google has been driving its Streetview car around the world and because Android (and also iOS) use crowdsourcing to enable mobile devices to get an approximate location fix using information from visible Wi-Fi networks, it means that Google has a map of just about every Wi-Fi network in the world and because Android devices sends the passwords to Google as part of its online backup, then Google (or the NSA) can pinpoint a network and find out its password! By August of this year the Electronic Frontier Foundation (EFF) had picked up on what was going on and called on Google to act fast to restore user trust.

Google seems to have made only one statement about this whole sorry affair via Ars Technica:

[quote qtext=”Our optional ‘Backup my data’ feature makes it easier to switch to a new Android device by using your Google Account and password to restore some of your previous settings. This helps you avoid the hassle of setting up a new device from scratch. At any point, you can disable this feature, which will cause data to be erased. This data is encrypted in transit, accessible only when the user has an authenticated connection to Google and stored at Google data centers, which have strong protections against digital and physical attacks.” qperson=”” qsource=”” qposition=”center”]

It is clear from Google’s statement that the data is sent back and forth over a secure link, but it is Google who encrypts and decrypts the data using a key that is not related to a user’s credentials. This means that Google can decrypt this data at will.

What does it mean?

Before the extent of the NSA’s spying activities were revealed by Snowden the fact that Google stored your passwords was a risk but maybe an acceptable risk. Google it seems goes through great pains to encrypt the private information it stores on its servers. If Google had the right access procedures in place, the chance of some crazy Google employee trying to get the Wi-Fi passwords of a neighbor’s network so he can stalk them where very small. But since Snowden we have all discovered that the NSA routinely and regularly requests copies of private digital information from the likes of Google, Yahoo, Microsoft and Apple. Because of the current laws in the USA, these companies are forced to comply and aren’t allowed to tell anyone what happened.

It means that the American government can gain access to millions of Wi-Fi networks across the world. All they need to do is send an agent to go stand near the access point and they are in, free and easy. Homes, schools, universities, shops and businesses are all at risk.

What can you do?

The first step is to deactivate the “Back up my data” option on every Android device you own. Since Android 2.2 this service has been activated by default and it is likely enabled on your device without you actually realizing what it is doing. It can be disabled on Android 2.3 devices under Settings, Privacy. For Android 4.x it is found under Settings, “Backup and reset”. According to the statement that Google gave Ars Technica, when you disable this service the data will be deleted from Google’s servers.

But… that isn’t the only thing you need to do. Have you ever given your Wi-Fi password to a friend or guest who came to your home or business and wanted access to the Internet? I guess you probably have. If they used an Android device then the same Wi-Fi data is being sent to Google via their device as well.

So, first you should tell your friends and guests to read this article, but then you should change your Wi-Fi password. You should consider setting up a second Wi-Fi network (many routers can broadcast two networks) with a temporary password which you change frequently. This won’t affect the way you access your Wi-Fi, but guests will need to reenter the password from time to time (depending on how often you change it).

What do you think? Will you be de-activating this service on your Android device?

  • Grman Rodriguez

    Ooh they have my Wifi password Pichai is gonna come to my house and steal my Wifi
    I think the security issue is getting too old, people worry too much. So what if Google know what my password is? Or even what I search? As long as I’m not a terrorist buying nuclear bombs or watching porn I’ll be just OK…

    • M3D1T8R

      You seem ignorant of the implications. I’ve always liked and dare I say “trusted” Google a lot more than others (I have no FB account because the opposite is true), but this isn’t good, especially considering what the NSA has been shown to be capable of. “What’s wrong with the government watching you if you aren’t doing anything wrong” is a dangerous argument.

      • Grman Rodriguez

        Ok, I know what you mean by saying “I’m not doing anything wrong” is dangerous (but I don’t live in the US so whatever :D) what is the problem if they know my wifi password?

      • GavinAyling

        Agreed, but as I have a Windows laptop on my network, surely that’s been uploaded by Microsoft anyway?

        • Amadeus Klein

          Absolutely, plus every app you install, browsing history, in short everything you do on your pc or Mac is collected by the company that created your OS.

      • Riki Sutton

        I can understand if you don’t want your government collecting your personal information, but a WiFi password is a little different. The whole point of a WiFi password is to stop your pesky neighbour from stealing your data or changing the channel on your TiVo. If your WiFi password is different to your other passwords, there really isn’t a lot they can do!

        • If you think this is about someone stealing your Wi-Fi connection then you don’t understand anything about networks.

          • Riki Sutton

            I actually do know quite a lot about networks. I have done several university papers on protocols and security. This case really is about Wi-Fi connections and fear mongering.

            If you’re worried about privacy, then don’t use the internet. Absolutely nothing it’s 100% secure on it

      • Amadeus Klein

        If you are online you have no expectation of privacy, even when encrypted, the internet is an open network, which means every government is capable of watching you, America got caught, but every major govt is doing it, And what you’ve heard about is small, honestly if you are worried about being watched you have to unplug, no internet, no car, no public transportation, no banks, no job, in fact no owning anything requiring a title… all those things expose you to being watched… We no longer live in a society where privacy is an expectation sadly…

      • Paul Taylor

        Yes but the whole point of the article – assuming the risk to be real – is that genuine safety is just a checkbox away. So it’s not all bad.

  • The Jeffrey

    Hopefully someone will remember my Wi-Fi password because I never do.
    Oh nooooooooo. Don’t steal my Wi-Fissss! The NSA already knows everything about me. What’s one more thing? Meh.

    • EvenInTheDarkestHour

      The NSA should open a subscription based One-Stop-Shop ultimate help desk. Think of the potential income…covering everything from “what’s my pass code for…” to “where was I going three weeks ago Thursday at 3:21a.m….” lol

  • w00t

    the whole password thing is bad. i have a very secure password, but changing it (every few months) is a hassle to deal with and to remember a new password every time. but lets say i registered on a forum and used my google acount password because its very long and secure. after a while that forum database got hacked and now there’s a chance my google account is compromised. and we all heard about Quantum Computers and that they can hack 128bit-256bit encryption etc.. i mean our world is built in transparency, so trying to protect ourselves as induviduals is wastefull thinking. if we feel comfortable buying services from dozen different companies nothing is gonna change. we cant trust a company when profit is the only motivating source. if we can astablish local (community) services that we fully controll between us and the companies we can sure as hell make better deals (if we are lets say 10,000 people united under a common goal) with the companies, and get better security asweel. we cant change our life for the better if we dont worry about the people around us, thats the law of the new world, this is what shakes the grounds of the old world.

  • marksyzm

    Great work firing up the tin foil hat brigade with this article.

    • rplm_18

      wow honestly I’m surprised with lot of ignorant comments here..

      Security is Only as Strong as the Weakest Link.

      • MasterMuffin

        Change your password and disable backup. Done :)

    • Gilles LeBlanc

      Yea exactly

  • Amadeus Klein

    Wow fear mongering much? Google is evil! The nsa is evil! Guess what, the nsa could do everything you fear by itself, without Google… They have probably done things worse than you could imagine, but we’re scared because they can see our wifi password? Please, let’s get real, yes Google is a data company, if you’re suddenly that scared go to Apple and then they can do it to you too, just secretly… Ever heard of Apple backup?

    • Paul Taylor

      I misread that at first, I thought you said “the nsa and Google employees might steal my WIFE next time they come to town….” :-)

      • Amadeus Klein

        Love it!

      • You had me worried there for a second, I double checked and it doesn’t say that!!!! :-)

        That would have been a classic speller checker auto-correction error!!!!

      • EvenInTheDarkestHour

        “Take my wife…please”

    • If you think that this is about someone surfing the net via your Wi-Fi connection then you don’t understand anything about networks.

      • Amadeus Klein

        I am aware that it is more than just that, but the argument that having a corporation or government knowing my WiFi password is somehow making me less secure is a joke, If you have WiFi and you connect even a single device to the internet from that network then you are just as vulnerable as having given the password to them.

        Not to mention the fact that no matter how secure you think your WiFi is, enterprise level, Wep, WPA, WPA2, Having a 100 digit key, whatever, it doesn’t matter it can be hacked obscenely quickly Even with Mac ID security, Talk to any network security expert, WiFi by definition is not a secure method of creating a network. WiFi offers Convenience, but not real security except from nosy neighbors…

        That said my point was to show that essentially that is the only thing that is different from them getting it from a database or getting it from hacking it…

        For a truly secure network it needs to be wired with lead and steel shielded cables and not connected to the internet. (Even then it isn’t foolproof.)

        • The issue isn’t about the Internet, it is that once someone has access to a Wi-Fi connection (by any means including hacking, stealing, lawyers or social networking) then all the computers on that network become exposed even if they are not connected directly via Wi-Fi.

          • Amadeus Klein

            I think we are in agreement there, fundamentally it isn’t about internet use, but 99% of the world that uses WiFi use that WiFi connection to connect to the internet, 1% who use a WiFi network as an unconnected private network are the only exception…

            Sadly, in this day and age if you connect your smart phone (or any device really) to the internet while on a WiFi network with other devices (Internet connected, not, wired or wireless, it doesn’t matter) they become vulnerable, as it is simple for a hacker to hijack a device and use it to hijack every other device on a network…

            That said yes, the NSA could get the info from google, come to your house and hack every device you own, or more simply they can use the single device you have connected on that wired or wireless connection to the internet and hijack it from the comfort of their offices…

            Basically I’m saying that the only thing new (I.E. thing they can’t already see/do) they would have access to is your internet bandwidth at your location…

            If you have a PC, Mac, Desktop, laptop, Tablet, Phone, iPod, whatever, and you use it wired or WiFi and have an internet connection feeding that network, Corporations or Governments having that WiFi password is a moot point when it comes to government surveillance. Google doesn’t need to hack us, they already have our lives in a database, Google goes down for 5 minutes and worldwide internet traffic drops between 40-60%, that is a very telling statistic.

          • Amadeus, I am sure we are on the same page but my thinking goes like this:

            If you have a device like a ReadyNAS or FreeNAS providing network attached storage on your LAN, it doesn’t access the Internet, the data stored on it doesn’t fly around the world for the NSA to sniff, it only works on your LAN. But once an attacker has access to your Wi-Fi they have access to your LAN and then access to your NAS.

            Absolutely nothing to do with web traffic. This is true with and without an Internet connection

          • Bradley Uffner

            If you think that not having your WiFi password is going to stop the NSA from reading your NAS if they want to then you haven’t been paying attention.

    • APai

      not nearly. USA has much of the data ceners in the world or their companies have access to the data of most people/ private companies like NO OTHER COUNTRY. like it or not, USA has had unlimited access to everyone’s most personal data (despite the big four’s assurance). and all that will change. USA’s preeminent position is about to change. the internet’s loosely based nature is about to change because of what NSA did. but its a slow long term process. the whole security industry located in the USA will now be distrusted. this is not fear mongering.

      conventional spying and what NSA did is a completely different. the other governments not spying on this scale will now be motivated to do something similar on the scale USa has done. and btw wasn’t it US that declared that online disruption of services is akin to an act of war ? so did USA just wage world war 3 ? (especially since the official word was “oh, US citizens need not worry, we just spied on ALL foreigners – even those who weren’t remotely interested in USA)

  • Roberto Tomás

    the advice offered is just fine. for advanced users, what you really need to do is properly configure Wi-Fi security to use a combination of MAC address and wifi password — at least that way someone would have to steal your previous tablet to pose as your next one.

    oviously google, etc, shouldn’t be intentionally backing up password data, even for wi-fi networks. but this isn’t so much google’s fault — a properly configured password based secret should not be stored on disk, rather in one’s pocket. the whole standard is screwed.

    • Perv Bear

      Yes they would have to steal your tablet… And be with in range, and if are stealing your neighbors tablet…. And sticking on their WiFi…. Enjoy jail.

    • MAC addresses can be very easily spoofed.

      • Roberto Tomás

        this is true, but I don’t imagine that Android will automatically back-up a MAC address.

  • Balraj

    I doubt Google is can protect data from nsa
    But knowing our Wi-Fi password without our knowledge is bull****
    Nyways the worst thing it’s, we can’t do anything bout it other than above mentioned solution…
    Hell…what more is Google hiding from us???

    • Bradley Uffner

      Google didn’t hide anything about this. It’s right there in the description of the functionality in Android. It tells you exactly what it’s going to do.

      • Yes, but the recent Snowden revelations have informed us about how much the NSA is taking from companies like Google. So the less data Google has of mine the less it can give to the NSA. Simple.

        • dNj

          Who we need to fear are the upstream providers. Comcast, Verizon, AT&T. These companies have no qualms handing over customer data. People bitch about Google, FB and Twitter but these are new/modern web companies that can’t survive if customers can’t trust their service. On the other hand you have old school companies like the ISP’s, who truly don’t give a F about customers. Verizon doesn’t even care about providing Android security updates, so why would they care about protecting a customers data from the government.

      • Balraj

        There is something called as faith..that’s y non off is us read “I agree term n conditions” n check out blindly n submit
        Lost faith in them..ofc other tech companies might be like Google but faith is everybody reads tech news..only a few thousand do that…what bout others who have zero clue???
        Just my opinion..not fair

        • Bradley Uffner

          This wasn’t hidden in a 1000 line EULA, or even in a wall of text. It’s right there, in plain sight, in the title of the settings item. Just look at the screenshot at the top of this article. It literally says that it will back up your WiFI passwords to Google’s servers right there in fifth word of the single sentence that makes up the setting.

          • This service is activated by default and I would suggest that many Android users don’t know it was activated by default and don’t know what it is doing. You need to go hunting around in the settings menu to find the help text. It isn’t obvious to many Android users who have probably never even opened that part of the Settings menu.

          • Bradley Uffner

            Nope. The exact same question pops up during the initial installation walk-through. It IS checked by default, but you have to go through the question, and have a chance to change the setting, before the walk-through completes.

          • Yes, a good point but during the haste of initial setup how many people will thoughtfully consider the implications of what that question means.

            Hopefully with this issue now getting a higher profile, users will be better informed about the implications.

          • Southall87

            Anyone who blindly clicks next next yes OK I agree, without reading a single bit of it, doesn’t care about there privacy. Or if they do then they are down right stupid!

          • Balraj

            I just saw that…I use mobile to check AA so didn’t see that…
            My new question is, is it necessary?? N also do you think ppl like nsa have no link with Google?

          • Bradley Uffner

            Personally, I like having all my WiFi passwords saved and restored like that. It makes switching ROMs and setting up new devices easier for me.

            I think that Google tries very hard to keep the NSA out of their records, and when they do have to let them in they try to disclose that it happened.

            I think that if the NSA wants to get in to my network then not having the WiFi password isn’t going to stop them. They will either get a warrent, or just sneak in and get what they want without it.

  • Paul Taylor

    My router is set up to only allow specific devices in – probably not foolproof, but perhaps another tool in the kit. As for Google – IMO they are bigger than the NSA. From now on they should speak up every time they get a request from the NSA. What’s the worst that could happen? Is the US government really going to allow its worldwide reputation to be slaughtered by disrupting Google’s services around the globe? It would be THE END of American technology being used anywhere outside the USA.

  • End in sight

    Yeah, but by turning off this functionality, you as the user lose out… Especially if your phone breaks and you need a new one quickly.

    The only reason to do this is because you don’t want spying governments to target you. With all the problems and need for security, it pissess me off that this is the world we live in. Especially after what Marisa Meyer at yahoo said the other day about going to jail if you don’t comply. What the [email protected] guys? When did we say that a government has the right to send Larry Page to jail if he tells me (after the fact) that the govt came to him and asked to see my gmail account? Let’s fix this crazy setup with some major reform. People rule government, not the other way around…except in communism.

  • Perv Bear

    This effects no one… NSA can already crack your WiFi if they need to spy. Plus they are already getting your traffic. And if your super afraid you wouldn’t use WiFi which anyone can already snoop, I have WiFi , even have a Pass to easy add devices. Its lolwut in case anyone was wondering, now come to my apartment and spy on me NSA or anyone else really.

  • Blobfish

    Passwords just keep casual users from using your service if the government really wants to hack you they will I can’t see a problem with this… Tin foil hat on..

  • APai

    the spectre of NSA being a super big brother is truly appalling. NSA has absolutely no justification doing what its been doing. even TSA is the same. and for the NSA apologists – without opposition to government intrusion, we might come to a day when if you do not hand over all your info – you might be an automatic suspect. apparently , that’s not needed with a bit of co-operation from private companies (banks, ISPs, email/ social networking guys)

  • Pradeep Viswanathan R

    Why is that Android Authority is digging into a 2 month old story right now?

    • Actually his has been an issue since 2011 but the recent Snowden revelations have brought this to the front again.

      Also we are not diffing, we are trying to inform.

      • Pradeep Viswanathan R

        i am sorry but its too late and seems like an act to get some press.

  • EvenInTheDarkestHour

    If you are worried about Google (or MS, iOS, etc.) knowing your personal information…don’t give it to them. Of course, that also means you can’t use the internet or mobile (frequency shopping cards, credit or debit cards, atm’s, any type of quick pass, ad infinitum), but whatev…go live in the wild. lol

    • And don’t you think that it is a real shame that the only viable option is what you say, go live in the wild. Is it impossible to imagine an online world where my privacy rights are protected???

      • EvenInTheDarkestHour

        It’s how the thing work on line. The problem, as I understand it, isn’t so much others snooping, as it is that when online, we are broadcasting. With most of the goings on on line being of a consumer nature, a method of identification is essential. And that requires some type of tracking and verification.
        As far as the other marketing based items I listed, we freely, eagerly, ask to be a part of a data base that tracks all of our habits (travel, purchases, wish lists, etc.), and then we get upset when we find out that they are doing just that.
        I’m not saying that I particularly like it, but it is a thing that happens when we exercise certain behaviors.

        And…I didn’t down vote you. I don’t like it when someone down votes a comment, and doesn’t bother replying.

  • Phill

    It’s not very difficult to hack into a wifi… I don’t see any reason why the NSA would bother Google for a wifi password that’s only protected by a password as opposed to more secure forms of networking… I’m all for better network security and privacy, but trying to control who has your password backed-up where isn’t entirely viable imo

  • Bjajjull

    I like this feature. You don’t have to write in any WiFi passwords on a new device and it’s also synced between devices.

  • Cliffon

    Nooo…i put my credit card details on Google Wallet. I hope they don’t steal my money /s

  • tottyrice

    it’s funny when i read comments on here where ppl say the ones that question their government are crazy, etc… tell that to the jews when their government started coming for them. there’s plenty of examples in recent history round the world where the government/new government turned against its’ ppl: Russia, China, Cambodia, North Korea, Burma, Egypt, Syria, etc… word to the wise: never trust your government, even how good things may seem.

  • Not sure how people who live in this kind of fear even sleep at night. Relax and go on a hike or something :-)

    • In other words ignorance is bliss!

  • smokebomb

    It’s not actually turned on automatically. When you activate the phone it gives you the option.

  • timlitw

    I’ll be leaving mine turned on. The benefits outweigh the risks.

  • Karthik Kanniyappan

    Don’t understand why so big threat.. Anyways Google as well stores our Gmail password which contains much more important precious data .
    This storing wifi password is just about ready to use anytime and it makes me feel good by not entering password in every device i use Android or whenever i reset.

  • Stuart Smith

    But no one is bothered apple can does this (keychain) along with a fingerprint and house key! (KeyMe app). Pretty sure they could take over your life.