HTC Android Phones Can Leak Wi-Fi Passwords

[nsane.forums]

A group of HTC Android phones is susceptible to an exploit that can steal Wi-Fi credentials and passwords and send them to attackers.

A group of HTC Android phones is susceptible to an exploit that can steal Wi-Fi credentials and passwords and send them to attackers.

The exploit relies on attackers creating rogue applications to take advantage of vulnerabilities in the Android build HTC uses on some of its phones, according to a post by the United States Computer Emergency Readiness Team (US-CERT).

Users with affected phones should go to HTC's support site for software updates, US-CERT says.

The affected Android builds expose 802.1X passwords to applications on the phones that have permission to access the Wi-Fi state of the phone. The flaw doesn't allow access to the 802.1X settings themselves, it does allow viewing Wi-Fi credentials, according to a description of the flaw at the My War With Entropy blog by Bret Jordan.

So an application could gain access to stored SSIDs of Wi-Fi networks, user names and passwords. If the application also has Internet-access privileges, it could send along the stolen credentials to attackers.

If the stolen credentials are for corporate networks, they could be used to target data on those business networks, Jordan writes.

According to US-CERT, affected phones are:

• Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40

• Glacier - Version FRG83

• Droid Incredible - Version FRF91

• Thunderbolt 4G - Version FRG83D

• Sensation Z710e - Version GRI40

• Sensation 4G - Version GRI40

• Desire S - Version GRI40

• EVO 3D - Version GRI40

• EVO 4G - Version GRI40

HTC and Google were told about the flaw last September and have been working to fix the problem and arrange for public disclosure. Jordan describes the companies as responsive and good to work with.

View: Original Article

[nsane.forums]

HTC admits it knew about Android smartphone WiFi flaw

HTC admits it knew for months about an issue with some of its Android-based smartphones that caused its WiFi to leak out SSID and password details to other devices. It is finally fixing the flaw.

Several months ago, some security researchers found a flaw in some of HTC's Android-based smartphones that allowed the phone's WiFi hardware to leak SSID and password information to hackers. HTC was told about this problem but basically ignored the flaw. This week, HTC finally admitted to the issue and said it would release patches for the smartphones that had the WiFi flaw.

So why did HTC wait months before admitting to the problem and fixing it? Engadget got a statement from the company which basically said they wanted to develop a fix before alerting consumers to the issue. The full statement is as follows:

HTC takes customer data security very seriously. If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public.

HTC's support page states that most of their Android phones have had the WiFi flaw fixed via an automatic update but that some of their phones will need to be manually updated to deal with the issue. It adds, "Please check back next week for more information about this fix and a manual download if you need to update your phone."

View: Original Article