Google knows every single Android user's WiFi password

By on September 16, 2013, 1:00 PM
google, android, gmail, wifi, os, passwords, networks

New privacy issues have come to light surrounding Google's Android mobile OS. Experts on the matter are claiming that back up tools in the operating system make it so that a copy of every person's WiFi password (or the password of other networks you log onto) is being stored on Google's servers. Unfortunately, this might mean that Google could be legally forced to hand over the data at the government's request for one reason or another.

In Android 4.2, the back up service under Settings, lists WiFi passwords as part of the data that will be included, where as earlier versions of the OS did not specifically mention that. Although the feature can be turned off, users lose other, helpful functionality like bookmarks etc.

The main problem here is beyond the fact that Google is storing the passwords. The company is storing them in such a way that means it can read the passwords if it wants to. This is clear to see by the way new Android devices can suck in old passwords, login data and device settings from Google servers, once you have setup your Gmail address and new password.

Obviously, this functionality has its up sides, we can easily manage passwords for several devices and services this way, but it certainly leaves the networks we use in a much less secure state than we may have originally thought. Although this isn't shocking in the least, it is surprising that Google would leave these passwords in a readable form as well as opening itself up for an almost guaranteed public back lash if the government ever does strong arm them for that data.




User Comments: 34

Got something to say? Post a comment
1 person liked this | coppersloane coppersloane said:

How long will we put up with Google's constant disregard for our privacy?

Answer: As long as they keep developing cool gadgets for us to use. When we're finally living in the world of Orwell's 1984, Big Brother won't be to blame -- we will be, for being complacent and stupid; for allowing this abuse and exploitation to go on for as long as it has.

gamoniac said:

I am not sure how this is news, but I am glad you brought it up. I saw this in my newly bought Android 4.0 (ICS) last year and turned it off immediately. I was beyond puzzled that Google weighs convenience over security to such extent.

2 people like this | fimbles fimbles said:

I am pretty sure google wont be outside my house piggybacking my wireless!

I don't know what evidence could be obtained by knowing someone's wireless WEP/ WEP2/ AES ect key?

psycros psycros said:

I am pretty sure google wont be outside my house piggybacking my wireless!

I don't know what evidence could be obtained by knowing someone's wireless WEP/ WEP2/ AES ect key?

You might want to sit down and breathe deeply: http://epic.org/privacy/streetview/

MilwaukeeMike said:

How long will we put up with Google's constant disregard for our privacy?

Answer: As long as they keep developing cool gadgets for us to use. When we're finally living in the world of Orwell's 1984, Big Brother won't be to blame -- we will be, for being complacent and stupid; for allowing this abuse and exploitation to go on for as long as it has.

Except that Google isn't the government. So at least the 1984 universe will be limited to Android users only.

Although this isn't shocking in the least, it is surprising that Google would leave these passwords in a readable form as well as opening itself up for an almost guaranteed public back lash if the government ever does strong arm them for that data.

I don't get it. What could the govt possibly want with wi-fi passwords? If they want access to a wi-fi network, wouldn't 'strong-arming' the owners of the network be a lot easier than getting it out of Google's team of lawyers?

Guest said:

It is not news that Google backups up Wifi passwords. It may come as news that these passwords are stored by Google in such a way that they can be retrieved with just a Gmail email and password. That means Google can read the passwords. And again, its not that Google has anything to gain by reading them, but agencies of the government might. When you combine this with huge number of Android devices, hundreds and hundred of millions, you end up with a scary big database of Wifi passwords.

fimbles fimbles said:

You might want to sit down and breathe deeply: http://epic.org/privacy/streetview/

Judging by the list of court cases and info in the link you posted, they seem to be collecting more than just wifi passwords.

captaincranky captaincranky, TechSpot Addict, said:

How long will we put up with Google's constant disregard for our privacy?

Answer: As long as they keep developing cool gadgets for us to use. When we're finally living in the world of Orwell's 1984, Big Brother won't be to blame -- we will be, for being complacent and stupid; for allowing this abuse and exploitation to go on for as long as it has.

Or possibly until people develop the genetic ability to shut their mouths, and leave the phone turned off and in their pockets.

LNCPapa LNCPapa said:

If you think Google is the only one doing this then prepare to be thunk wrong . I exchanged my Surface RT which had been on my network for a couple of weeks for a Surface Pro and when I logged in at home it knew my wifi password already. It was a bit scary until I figured "who with the power to get to this information cares enough to get on my network?"

captaincranky captaincranky, TechSpot Addict, said:

If you think Google is the only one doing this then prepare to be thunk wrong . I exchanged my Surface RT which had been on my network for a couple of weeks for a Surface Pro and when I logged in at home it knew my wifi password already. It was a bit scary until I figured "who with the power to get to this information cares enough to get on my network?"

Did you ever click the "remember me" button, or did it just know?

LNCPapa LNCPapa said:

Different physical machine and OS (RT vs Win8) - no transfer of settings between devices - logged into the same account.

1 person liked this | H3llion H3llion, TechSpot Paladin, said:

I better change my password to something insulting towards Google, so when they see it, they know whats up!

Lionvibez said:

Different physical machine and OS (RT vs Win8) - no transfer of settings between devices - logged into the same account.

do both windows Rt and windows 8 force you to login with an email account?

I'm sticking to 7 so I don't know.

It is possible MS has this information stored and that is why it remembered your wifi?

that is the only thing that makes sense to me

captaincranky captaincranky, TechSpot Addict, said:

Well, God hears all your prayers, and by extension, tentatively knows all your passwords.

The only reasonable conclusion I can draw is, "Google is God....!!!:eek:

St1ckM4n St1ckM4n said:

Different physical machine and OS (RT vs Win8) - no transfer of settings between devices - logged into the same account.

Did you make a local user account, or did you use a MS account to log in? Win8 sync's settings.

[link]

1 person liked this | LNCPapa LNCPapa said:

I did log into an MS account... but if they store that info then they can get that pw with very little effort.

CJ100570 CJ100570 said:

I find it puzzling that this has made into such a big deal when it is in fact not a big deal. Anyone that buys an Android device is offered the "option" of having this info backed up on Google servers. If a user "chooses" to utilize this feature or "chooses" to not uncheck the setting as they setup their phone, how is it somehow the fault of Google? The user "chose" to have the info backed up!

Guest said:

Mac address whitelist on router, you can steal my passwords all day long

highlander84 said:

Ahhhh so you think if they have only your wifi password they can't look at the mac address and then simply clone it? It's really easy.. Especially when you know an authorized Mac...

Divvet said:

This isnt new! Google has been syncing my wifi passwords across all my devices for as long as I can remember, so of course they have the passwords! But what are they gonna do? Log onto my wifi in London? Don't be stupid.

Guest said:

highlander84 said:

Ahhhh so you think if they have only your wifi password they can't look at the mac address and then simply clone it? It's really easy.. Especially when you know an authorized Mac...

ok, if you put it that way, then Mr. Evil Hacker will need to either: hack your google account, force you to login to his network, steal either your device or router

accessing lan data requires another password that is not stored on google server

is all this hassle worth having someones "free" wifi? I dont think so

in case of Big Brother its all non essential, BB knows everything you do and ever did and can at any moment come to your home and take w/e it wants

gamoniac said:

highlander84 said:

Ahhhh so you think if they have only your wifi password they can't look at the mac address and then simply clone it? It's really easy.. Especially when you know an authorized Mac...

ok, if you put it that way, then Mr. Evil Hacker will need to either: hack your google account, force you to login to his network, steal either your device or router

accessing lan data requires another password that is not stored on google server

is all this hassle worth having someones "free" wifi? I dont think so

in case of Big Brother its all non essential, BB knows everything you do and ever did and can at any moment come to your home and take w/e it wants

Google database can be compromised. Once Wi-Fi access is compromised, the hackers can sniff your network packets for data in your Wi-Fi transmission.

RenGood08 RenGood08 said:

I guess its a good things wifi is turned off on my cellphone. I don't really use wifi. At home, I dont have it, and forget to connect to it at my parents' place.

Guest said:

gamoniac:

Google database can be compromised. Once Wi-Fi access is compromised, the hackers can sniff your network packets for data in your Wi-Fi transmission.

they can sniff packets w/o google database, wifi is not a secure connection

the question is: whats easier to hack, google database, or decrypt password you transmit with packets over wifi, or just steal device

Skidmarksdeluxe Skidmarksdeluxe said:

Google database can be compromised. Once Wi-Fi access is compromised, the hackers can sniff your network packets for data in your Wi-Fi transmission.

They can sniff my crack!!!

LNCPapa LNCPapa said:

I'm not important enough for anyone to go through all that trouble.

1 person liked this | Tygerstrike said:

All I see here are nutjobs worried about security. Problem is they are the minority. See the American consumer is SO LAZY that they cant even put pen to paper and write down thier passwords so they will remember them. No its much easier to say ok and just let the phone remember for them. Its smart right?? All joking aside, big deal.

Not like Google cares and if the govt REALLy wanted into your computer, you really couldnt stop them UNLESS youre NOT on the web. And then they just do a little home invasion and steal what they want. Or get a warrent. Guys yes there are connections between our devices and the govt, but before the rants start, who do you think oversees the operations? Who is the cell phones REGULATORY agency?? Why Uncle Sam since you asked. So the govt has had thier hands on our information since the information age started. We are still here. Crazy people STILL do crazy sh!t. Stupid people still do stupid sh!t. The point is we know they are watching the body republic, but are they SEEING anything. Probably not. Your person fetish websites dont concern them. They would rather you at home spanking, then out and about causing trouble. And unless you put "key" words out there, then they wont have reason to watch you. In the end, face to face is the only real comunication we can be sure isnt heavily monitored. And I might point out to all who are screaming about the govt watching us....AND???

Guest said:

You miss the point. The point is that they store it in a readable form instead of something like a hash or a complex way of storing a password. This makes it vulnerable and a risk. It's ok to do it as long as it's done in a proper way :)

wiyosaya said:

All I see here are nutjobs worried about security. Problem is they are the minority. See the American consumer is SO LAZY...

Personally, I would not call them lazy, though they may actually be so. As I see it, the real problem is that the average American consumer does not have enough technical knowledge to really understand what they are doing. In other words, the average American consumer is ignorant.

coppersloane coppersloane said:

Getting it through Google allows them to do it quietly. If they "strong-arm" it from the owner, the owner has time to hide stuff. As for what they'd want with wi-fi passwords, I've been hacked through my network before, and watched as said hacker took remote control of my mouse and keyboard.

coppersloane coppersloane said:

The user chose to put their wi-fi password on a Google server? Even if it's in an end user license agreement somewhere, considering no one reads those, I seriously doubt anyone would be okay with putting the password for their HOME NETWORK on anyone's server but their own, especially after we now live with confirmation that government openly spies on us. And if it is to be done, people would want to know what precautions are taken to ensure the information will not be used in an abusive way.

If by signing an employment contract with a lot of fine print and consecutively punching in at work each day I discovered later that my boss had been provided with a key to my house all along, I'd see something wrong with that.

bond304 said:

My only question is, why isn't the backup data encrypted with a public key generated by the user so that only the private secret key can decrypt it? I mean look at what Mega did.

ViperSniper2 said:

What a bunch a tin foil hat wearing garbage. If you didn't read the Android backup agreement and had to wait for someone else to point out the fact it includes wifi passwords, you need to have your head examined. The reality is quite simple; rather than recording this for their own serendipitous spy use, it's recorded to make our live's easier and chances are 90% of users simply keep the default User = Admin and Password = password or admin, etc for admin access to change your setup. If it's a passphrase you'll know the MAC and name of every single device that logs in!

So I call fowl! ...like in stinking up the place with garbage editorials like this. Basically again... accusing Google of telling on themselves openly in a click through agreement that if YOU..... aren't reading and understanding anything past the first word, makes YOU the blithering *****!

I say until.... they actually get called out by the government you fools trying to make out like Google is "teh Skynet", need to honestly find something better to do with your time, than nitpick frivolous accusations like some 5yr old telling on their older brother, something their mom already knew!!! lol....

Come on people the NSA wrote the Secure Linux Kernel for Jelly Bean Android. You think the DoD and our government aren't aware of this themselves already???

Shame on you for pointing out something so trivial and universally ignored as a home WiFi Password whether admin or device access. You'd think people really cared what their access or login password is. They are like a key lock on a door. They aren't meant to really keep a criminal out of your house. They are simply a means to prove unauthorized "Breaking and Entering". When in reality anyone accessing your WiFi Admin is logged... if you simply change the default password and set it up properly.

As for your encrypted access passphrase, whether they know the passcode or not, you'd still need to know the router brand and admin address to do any damage on the network and that's if you aren't managing your home wireless network properly like this little gem tells you here:

[link]

Quite simply stated, if your neighbor or Google even.... is close enough and foolish enough to be stealing internet access from your router, the reality is that they aren't stealing it from you. They are stealing it from your provider without your permission. If... you can wrap your head around that little tidbit of knowledge, you'll understand just why every internet provider is more interested in you using an encrypted password for their own benefit. Otherwise we'd all have password free access all over the World, instead of just the countries where Free WiFi access is almost guaranteed on every street corner. If no password needed, what does your little tirade against Google really prove anyway?

Also by simply using the electronic pairing via the WPS button on both router & devices or simply switching off manual configuration and enabling WPS (Wireless Protected Mode) setup, you totally eliminate any other device than those you have physically pushed the WPS button for on your ROUTER! .....now tell me what's so hard about that? When the fact is that your passphrase is even hidden from your view. Let alone a device's MAC and Name needed w/ that password to get access in the first place. Which is also recorded and can be analyzed by authorities to determine who they are!

What a Joke this whole scenario is and that from someone who works in IT! ^_* ....so if you are really that worried about this, then just use your router's WPS setup mode and get your own self locked out of actually knowing what your router's Passphrase is! .....and for God's sake, change your ***** Proof default Admin Login while you're at it!!!

ViperSniper2 said:

Google database can be compromised. Once Wi-Fi access is compromised, the hackers can sniff your network packets for data in your Wi-Fi transmission.

They can sniff my crack!!!

hahaha.... that's what I say! ;-P ....because in all reality if Google is that close to every crack on earth to sniff it, they really must be "teh SkYnEt" afterall!

OMG the sKyNeT is falling and we all better run before Google starts reading our minds located in our cracks. That's if you really believe this crack full of bullpucky!

BTW... at your quote; Google already is well on their way to fully encrypting their entire database from evil eyes whether private, corporate or government. So they'd have to want access pretty bad to every single Google user's data. Which on average for let's say just a billion Android users would take well over a 100 or so years to CRACK! ^_*

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.