It has been reported that that a popular hotspot finder app for Android exposed the Wi-Fi network passwords for more than two million networks. The app allowed anyone to search for Wi-Fi networks in their nearby area. The app allows the user to upload Wi-Fi network passwords from their devices to its database for others to use.
Tim Mackey, Senior Technical Evangelist at Synopsys:
“The topic of data privacy, security and consent has been top of mind for both organisations and users since GDPR came into effect almost a year ago. One of the key components of GDPR is the concept of consent. Under this doctrine, users must consent to the collection of personal data by a provider and the provider must similarly disclose how it will manage and process that data. In the case of the HotSpot finder applications’ collection of WiFi password data, we see a situation where the goal of the application and by extension its user base are at odds with the security of others. While WiFi credentials might be provided to an authorised user of a network, that same user providing those credentials to a third party likely falls outside of both terms of service for the WiFi network and the doctrine of consent. In essence, the HotSpot finder app presumes their user has the authority to disclose potentially sensitive information and thus can consent to the app receiving and potentially storing that data. This then creates a situation where the threat model defined by the WiFi network owner might be insufficient – i.e., that only authorised users are granted access when user impersonation might become the norm. To mitigate this situation, operators of WiFi networks should routinely audit their access records to identify abnormal patterns of access and vet that access against the expected usage pattern for the user.”
Monique Becenti, Product and Channel Specialist at SiteLock:
“An Android app that helped its thousands of users search for and sign into nearby Wi-Fi networks was storing the passwords to more than two million networks in an insecure format. This allowed outside actors to get access to and download the contents of the database. While the app says it only shares passwords for public networks, the database seems to also include private home networks.
The app allows users to have unauthorized access to public and private Wi-Fi networks, allowing network owners to offer their Wi-Fi credentials for public connections without prompting them for permission. Users are often more vigilant about their security when using public networks as they are more widely known to be unsecured connections. However, people tend to let down their guard when using their home networks. If bad actors access a user’s home network, they could alter router settings and direct traffic to malicious websites, or even worse, attackers could have the ability to steal sensitive information such as bank logins or credit card data from a residential router.
Network owners should think twice about who they share their residential or business Wi-Fi credentials with. The risks of widely sharing these passwords highly outweigh the benefits, as users offering their own routers leave their personal traffic and the traffic of the users vulnerable to man-in-middle attacks. Users should only use their own devices when connecting to Wi-Fi networks, they should also keep in mind a VPN is a great tool to encrypt their traffic, however, it will not protect them from a router modified by an attacker. Network owners who think their Wi-Fi networks were abused by this app should immediately change their passwords and reach out to their router manufacturer to report the security vulnerability.”