Thursday, August 05, 2010
HTC/Android tethering insecurity
New possibilities. New buttons. New features. New looks. Faster, higher, better, and so on. I've been looking forward to this.
One of the features I've really been waiting for is tethering, which enables me to configure my HTC Desire to act as a WLAN hotspot for other devices. In my case; for my iPod Touch 64Gb so that i can play certain games online wherever i go. Yes, important feature indeed. :-D
But there's a catch. Or well, not for me really, but I don't like the way HTC has chosen to set the default parameters for tethering. Take a look at this picture (my HTC Desire phone with Norwegian menu, but I guess you'll understand it):
For security, there are options for none, WEP (128), WPA/TKIP or WPA2/AES available. I guess WPA/TKIP is the "middle road" selected by HTC, not too bad, with a high probability of most devices being able to use it.
For once I won't complain just about the password, but about the SSID too. See; the next time one of the bad guys sees a WLAN with SSID HTC network, there is a certain chance the password may be the default as well. They will definately try it. If they succeed, they can give you a rather tough bill to pay in the coming weeks for excessive data usage through your phone. (Proving that you didn't do it will be tough - your phone doesn't do much logging, does it?)
When i travelled back home from vacation in Denmark, I spent quite a few hours onboard a passenger ship with their own GSM provider on board, probably using satellite communication. I got an SMS telling me that using GSM/3G for data traffic would cost me NKR 90,- for each megabyte of traffic. That's 11,39 Euros or USD 14,96 for one megabyte. ONE SINGLE LOUSY MEGABYTE OF DATA.
Somebody tell me if I'm wrong, but I hope and believe that Cisco still provides their routers without remote access by default, enforcing local cable connection first to set a (hopefully) unique password to get remote access?
A very simple guide in Android and/or from HTC, asking for an SSID and a user-selected password upon first time usage would probably be a good idea. Perhaps a little less user-friendly, but a whole lot safer for any and everyone deciding to buy themselves an HTC phone running Android.
On the other hand; HTC has done nothing wrong. Security is the responsibility of the end-user, period. (Thanks to @solskogen for taking the opposite position of me during a 10-minute break at work today. Always challenging me on my thoughts and ideas, highly appreciated!).
So for Google/Android, HTC and other vendors as well: setting default usernames, passwords and SSID's in your products isn't really that smart, since there are way too many users who doesn't understand these issues. They are not interested either; they've paid money for a product, they expect it to provide good security out-of-the-box.
Remember; good security shouldn't be cumbersome, it should be easy and secure from the start.
Posted by securitynirvana