It seems like every time you browse the news headlines these days there’s another story about a corporation being hacked and losing their bank account, customers credit card accounts or identity. These kinds of loses are all perpetrated by people external to your organization. But last week, security researchers uncovered that Android devices store and backup to Google wifi passwords in clear text. It does this as part of the phone backup. Google provides a pretty slick backup and restore option for your phone so when you get a new one all of your applications, files, settings and yes wifi passwords are there for you. Nice from a user perspective.
Why is this important?
We have to think about what that means for your business. When an employee comes to your office and connects their phone to your LAN wireless then the Android is storing that password and sending a copy of that password to Google. As we know from previous disclosure by Google about their use of the data they collect, Google now has the right to sell, display, publish a connection to your network. This also makes Google the worlds largest holder of corporate wifi access credentials.
Will Google intentionally do something evil with this power? Probably not. But an individuals password could be guessed and the data harvested. It could be handed over to law enforcement or become part of government security data gathering. Imagine if you were a hacker and you got a list of those passwords. Now that the word is out that Google has a giant list of corporate access passwords you can bet that there’s plenty of bad guys trying to get their hands on it. It would make a really nice new rainbow table. (Rainbow table is the name given to lists of potential passwords that an automated tool will cycle through when attempting a hack.)
What should we do?
The danger is there. The way to mitigate the risk is to not allow phones of any type to connect to your corporate wifi. If you’d like them to be able to connect to a wifi while in the office, then we should connect them to a guest wifi that is segmented in the firewall from the internal network.
I would tackle this in the two ways. First by policy. Employees are likely to know and need to know the password to the corporate wifi. It would then be easy for them to add that to their phone. Your acceptable use policy needs to include a statement that phones should not be connected to the corporate wifi under any circumstances. Second we should lock down the corporate wifi to only specific MAC addresses or trusted machines with an installed certificate. Both methods will allow you to know that only devices and people that you trust have access to your corporate wifi and the data in your corporation.