Hacking 'overheard' wireless: Facebook, Twitter, Google security

Hacking 'overheard' wireless: Facebook, Twitter, Google security

Summary: By listening into the wireless signal given off by an Android device, one university professor could determine how secure common web services were, and if they encrypted their transmissions.

SHARE:

Dan Wallach, who maintains a blog on the other side of the sphere, set up a wireless sniffer to listen to the overheard wireless signals on his Android smartphone, to determine how common web services transmitted data.

Truly, a testament to undergraduate studies: to think of such an idea and to give it a go; engaging with students and show them real life practical security skills, something you don't see often anymore.

By studying the way that Google, Twitter and Facebook send your data from your mobile device to the cloud or the service, it gives an insight into how the aforementioned services treat our data and gives them a level of security grading.

Google seems to come off the best, with Twitter and Facebook not doing too well.

  • Google properly encrypts traffic to Gmail and Google Voice, but they don't encrypt traffic to Google Calendar. An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar.
  • Twitter does everything in the clear, but then your tweets generally go out for all the world to see, so there isn't really a privacy concern. Twitter uses OAuth signatures, which appear to make it difficult for a third party to create forged tweets.
  • Facebook does everything in the clear, much like Twitter. My Facebook account's web settings specify full-time encrypted traffic, but this apparently isn't honoured or supported by Facebook's Android app. Facebook isn't doing anything like OAuth signatures, so it may be possible to inject bogus posts as well. Also notable: one of the requests we saw going from my phone to the Facebook server included an SQL statement within. Could Facebook's server have a SQL injection vulnerability? Maybe it was just FQL, which is ostensibly safe.

Credit to Dan Wallach. His original post was a great read.

Topics: Google, Mobility, Networking, Security, Wi-Fi, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Truely a testament to undergraduate studies

    Hopefully he didn't watch the overhead of a device he didn't own or specifically get permission for, otherwise in the US he'd have racked up multiple federal and state offenses for intercepting wireless communication...
    ITSamurai
    • RE: Hacking 'overheard' wireless: Facebook, Twitter, Google security

      @ITSamurai But, academic independence, integrity and freedom prevail. Sure, you probably couldn't murder someone as a 'university experiment' but you can get away with a lot in the field of research.
      zwhittaker
      • RE: Hacking 'overheard' wireless: Facebook, Twitter, Google security

        @zwhittaker Academic Independence, Integrity and Freedom prevail? try telling that to a US Federal Judge.
        eak2000
    • RE: Hacking 'overheard' wireless: Facebook, Twitter, Google security

      @ITSamurai <br><br>In addition to Zack's comments, the experiment was set up to sniff the author's own traffic from his Android phone, not traffic in general. It would be trivial for an experienced security researcher to set Wireshark to filter out everything else.
      lshanahan
      • RE: Hacking 'overheard' wireless: Facebook, Twitter, Google security

        @lshanahan In that case I'm all for it, I've got a test lab myself to stay on the right side of the tracks as it were.<br><br>@zwhittaker Actually alot of security research leaves you sitting in a grey zone ie reverse engineering. The laws are a virtual mine field (no pun intended) and if you were to claim that you were only doing it for research you would effectively establish the requirement of the prosecution to show intent. While 'testing' using someone else's equipment is unlikely to be noticed and even less likely to be prosecuted - it also raises serious ethical questions. While it sounds like a moot point from what Ishanahan has pointed out, if you are a fellow researcher I strongly suggest getting into cyber law as well.

        *EDIT* Should've read the original post before replying - and Zack I am speaking from the perspective of US laws, the UK may operate differently.
        ITSamurai
  • RE: Hacking 'overheard' wireless: Facebook, Twitter, Google security

    Another reason not to to get caught up in the hype over these sites. I trust Facebook, twitter and google about as much as i'd trust a convicted serial killer. Security used to be at the forefront of everybody's mind when using the web but as time wears on stupidity rules and it shows as people put more and more trust into corporations that could give a rats ass about you and your privacy.
    Rob.sharp
  • RE: Hacking 'overheard' wireless: Facebook, Twitter, Google security

    tcpdump is your friend LOL
    LarsDennert