Sophos Cloud Optix
US privacy and computer security advocate Micah Lee describes himself, amongst other things, as “a staff technologist for EFF and the project maintainer of HTTPS Everywhere.”
In other words, he has a healthily holistic view of the use of encryption on the internet.
So it wasn’t surprising, earlier this week, to see him post a suggestion to the Android Open Source Project about security.
His suggestion was entitled “Backup and restore” should offer encrypted backups:
The "Back up my data" option in Android is very convenient. However it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data.
If you’re an Android user, the option he’s talking about is the Backup & reset page in Settings:
In the screenshot above, the feature is turned off.
Most users, however, probably have it enabled because it is, as Micah points out, very convenient.
The idea is that if you lose your device, or merely feel the need to reflash it, you can much more quickly get back to where you were.
Instead of just reinstalling your favourite apps and starting afresh, your new device will know how to get online straight away, how to get into your Twitter account, and how many Angry Birds levels you haven’t conquered yet.
Clearly, Google keeps a raft of configuration data on your behalf, because if you have the option enabled and then decide to turn it off you get this dialog:
So how risky is this option?
It’s not risky in the sense, for example, of the recent flaw in the Tumblr app on iOS.
There, Tumblr forgot to secure the actual transmission of personally identifiable information (PII), such as your password.
That meant that crooks at a coffee shop, for example, might easily be able to sniff out and extract your Tumblr password.
The Android issue is more subtle: the data is encrypted in transit, and Google (for all we know) probably stores it encrypted at the other end.
But it’s not encrypted in the sense of being inaccessible to anyone except you.
That’s obvious because, as a comment on Micah’s abovementioned posting pointed out, you can recover your data from Google even after you’ve wiped (or lost) your device, or changed your Google account password.
In other words, Google can unilaterally recover the plaintext of your Wi-Fi passwords, precisely so it can return those passwords to you quickly and conveniently even if you forget your device password and have to start over.
That’s just the sort of convenience which many users will trade against security.
So, let’s say some Three Letter Agency were to use some prismatic techqniue to acquire those Wi-Fi passwords from Google.
Is that likely? If so, would it be bad?
I have to say that it probably would be, if only because the list of Wi-Fi networks and passwords on your device is most likely much more extensive than just your own network in your own home.
You’d effectively be helping to built a list of passwords to go with the already-existing and extensive maps of Wi-Fi access points built up over years, both by Google and others.
You probably don’t want to help anyone, friend or foe, to do that.
The solution is to encrypt everything “for your eyes only” before you back it up anywhere, especially into the cloud.
And the problem with that is it’s not quite as convenient, not least because there’s no password-free way to recover that backed-up data, for example if you forget your password.
That’s the dilemma we all face.
Are you prepared to accept a digital equivalent of locking your keys in the car forever (for example if you forget your full-disk encryption password and didn’t save the recovery key)?
Or would you prefer to have what amounts to a backdoor to your own, or worse still, to other people’s, personal information?
What do you think? Let us know in the comments below…
Thanks. Looks like I need turn that off and change my wifi password.
I ran into the same “lock your keys in the car forever” dilemma when enabling full-disk encryption on my MacBook Pro. I like Apple’s approach to easing the anxiety: they store encrypted answers to three security questions in iCloud and will produce your unlock key if you can answer them. Apple’s emphasis that you will need to answer exactly correctly to the letter supports their assertion that even they won’t be able to look up your encryption password without answering the security questions. And the security questions they ask seem good–very specific but obscure information. Like “what was the last name of your teacher when you were 12 years old?”
Naturally, if someone can discover the answers you’re hosed, but it feels like a decent compromise to avoid losing access to your data forever.
I have gotten by without this service for years. It was easy to use and useful. I just turned mine off after reading this article. I ass/u/me(d) it was fully encrypted — shame on me. Thanks for your article, I plan to share with my facebook friends.
I'm guilty of making this same assumtion. It's not the lack of encryption, but I think the key point is their ability to decrypt at will.
A good reason to use a password vault rather than these homogenised backup processes.
This is also a "feature" of Windows 8. When I setup my newest Windows 8 machine it was actually helpful that it automatically knew the WiFi passwords of a couple sites where I had meetings. I had forgotten my passwords but I had used my Surface RT at those locations.
So my WiFi credentials were included with other setup information that was automatically sync'd with my new Windows 8 computer.
I'd like to assume that any sync'd data never leaves my machine without being encrypted but as they say in the movie Sneakers, "No More Secrets".
Bill
The Android issue is more subtle: the data is ancrypted in transit.
Ancrypted.
Fixed, thanks.
thanks, turned mine off too. convenience vs security? no brainer.
anything that breaches my security will not be used. time to get away from smart devices.
Paul,I have a few words to say about the last sentence of this article:
"Are you prepared to accept a digital equivalent of locking your keys in the car forever (for example if you forget your full-disk encryption password and didn't save the recovery key)?
Or would you prefer to have what amounts to a backdoor to your own, or worse still, to other people's, personal information?"
Most people prefer don't like to be bothered by interfaces featuring stuff that may be "complex".Eg.:-EULAs.etc.So they (inadvertantly) end up uploading their personal data.
It is very bad that such information effectively being given away freely–we are to blame.But most people are too lazy to even bother—most of them are simply too lazy to look what they're getting into.
I get what this article is hinting at and agree with the basic underlying principle of having your own encryption verses 3rd party access (yes I would rather lock the keys in the car, there is always a window to break ie start fresh). But I think it is an overreaction to google having wifi password or the NSA, what are they going to do steal my internet! I know they could possibly use that as a more convenient way of "hacking" into my home network but it seems they have an easier way with their prism thingy. So overall I'm not too worried about them having wifi passwords and a list of my apps, but correct me if I'm wrong.
you people are all funny! you make me laugh. If Google would just hurry up with some of there other projects we wouldn't need WIFI passwords anymore cuz there would be free WIFI cast freely across the country.
I’ve got a password protected spreadsheet with all my other passwords on it. I wrote the password to the spreadsheet on a piece of paper and sealed it in an envelope. The envelope is in a safe deposit box. That’s as secure as I know how to make things.
Excel (and possibly other) spreadsheet passwords are almost trivial to crack. Hopefully, you have at least named the file something other than passwords.xls.
…/Glitch
Try Password Safe or KeePass instead. They are much more secure than a spreadsheet.
I the past, I used multiple Email services etc., and one day made the step and migrated everything to Google Services. My idea was to have a central login to everything, and I understood Google they would only use de-personalized data for their data mining (which results into ads, for example). I am fine with that.
With Google giving all data to some agency, they probably gave away access to my whole digital identity.
I'd be willing to pay for a Service Provider that offers completely encrypted data services. Like Email + Address Books, Calenders, Cloud Storage, Messaging, or maybe Android Phone Backups. But it looks like there is no one to trust. Maybe Mega? Time will tell. Mega is off course relying on their ISP/Data Centers, and if those would be forced by some agency to give access, there is nothing Mr. Dotcom could do, right?
This thinking leads me to the Astaro Service of Cloud Email Storage. Astaro Security Gateways offer to be combined with that service, so basically every Email would be stored in the Astaro Cloud additionally to my local Servers. Can we have a word from Sophos here? Is/was Sophos/Astaro asked/forced by some agency to give some kind of access to that data? If not yet, what would be the answer?
Looks like the whole CLOUD-idea of the recent years was just a big fail. Everyone back to self-hosted local storage services!
We’re looking into your questions with a product specialist, we’ll get you an answer by Monday – thanks!
Thanks for your question(s). The short answer is no. Astaro was founded in Germany, where personal privacy laws and culture are very strict. As for the longer answer, cloud email storage technology continues to evolve and improve, which is why we’re seeing an ever-increasing number of businesses and individuals embracing it- – for both convenience and security.
I think the NSA would have sufficient CPU power to crack anyone's wifi password, so where is the story.
Most, but not all. Just use a sufficently long and complex encryption key and the math is in your favor. Yes, it would need to be longer to protect against NSA than Joe hacker.
I’d always assumed that this was only a problem if you used your tablet out in public (library, town hall, random hot-spots, etc.) I have turned mine off, thanks to your post. Geez. It’s always something, isn’t it? I had forgotten that it was on…….I’d already disabled location services and all that……….and I don’t leave my phone on…….plus, I have an external hard drive, so could do without google services in any case. But, yea, geez, couldn’t someone come up with a really simple way to avoid security flaws without all of us becoming hyper-vigilant? So scary, this brave new world, of ours! Cripes. 🙂
Couldn't they just simply add two factor authentication? Much like they do with their Gmail service today but in reverse? e.g. If i am logging into my Gmail from an unknown computer I receive an SMS or a phone call with a passcode. So in this scenario if I wanted my Android restore, I would receive my passcode via Gmail.
Two-factor authentication makes it more difficult for a miscreant to take the place of the genuine account holder. Authentication of the account holder stands upon two things, in many examples something he knows (password) and something he has (telephone tied to a specific number).
In the case of wishing the second party to store a copy of your data, two-factor authentication detracts nothing from the ability of that second party (and anyone who is legally empowered to force disclosure from the second party, or who hacks – using a procedure that does not involve him abusing your specific log-in – the second party's systems) from using and abusing your data.
Smart phones for dumb people.
Encrypt? Doesn't the NSA have back doors to many of the the different encryption software systems!? 🙁
If someone develops an encryption algorithm that the Security Agencies cannot crack, they will bring in whoever created it and demand the crack. just saying.
No government wants secrets kept from them, only they can.
Knowing how an encryption algorithm works does not mean you to crack it in a feasable amount of time. Well designed cryptographic algorithms rely on computational hardness rather than obsurity or secret algoritms.
Strong encryption is designed to be uncrackable in trillions of years, even when factoring in Moore’s Law of increasing computational power.
Unfortunately, there's no way out. I might turn off the option, but every friend that enters my house and asks for WiFi password is a possible leak for that information into Google. No matter how cautious I am, others (who possesses bits of my personal information) are not. From that point, it is just a matter of time before Google cross-references and gets much of my data (WiFi password, full name, blogs, email address, phone number) without my permission.
If my WiFi password is my sole protection of my home network, then I have much bigger problems to solve.
I’d be more worried about email and website passwords that may be stored on the device. For a wifi pass to be any use to a hacker, they must know where the wifi access point is.