February 2, 2012 report

Some HTC Android phones found vulnerable to WiFi password leak

by Bob Yirka , Phys.org

HTC Desire HD
HTC Desire HD

(PhysOrg.com) -- The United States Computer Emergency Readiness Team (U-CERT) has issued a warning to users of some HTC Android phones regarding a security vulnerability that has been found. The warning pertains to 802.1X WiFi user information and SSID data that can be viewed by rouge applications, taking advantage of a weakness in the OEM Android build of certain HTC phones.

Affected phones allow 802.1X WiFi information to be seen by applications that have access rights to WiFi information stored on the phone. This means errant applications could find their way to a stored SSID (Service Set Identifier - an identifier attached to the header of packets sent to a wide area network), login names as well as passwords. Also, should the phone connect to the Internet, identified information could then be sent back to those that created the application and who are looking for such information. And if the phone also connects to a corporate network, the vulnerability could lead to data being stolen.

According to U-CERT, the phones at risk are:

Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
Glacier - Version FRG83
Droid Incredible - Version FRF91
Thunderbolt 4G - Version FRG83D
Sensation Z710e - Version GRI40
4G - Version GRI40
Desire S - Version GRI40
EVO 3D - Version GRI40
EVO 4G - Version GRI40

HTC, a Taiwanese manufacturer of Smartphones, has had other with their phones in just the past few months, and according to some unofficial sources, this particular vulnerability was discovered by Chris Hessing, a senior engineer with CloudPath Networks. Google and HTC were both apparently notified about the vulnerability last September after it was discovered. Since that time, both have been hard at creating a fix, which is now available to worried owners at HTC’s support site.

Google has also reportedly performed a full scan on all of the applications available for download in the Market, and has found none that have tried to take advantage of the vulnerability, indicating that it’s possible nobody but Hessing and workers at HTC and were even aware of the vulnerability, which means despite the lapse by , it’s likely no one was actually harmed by the problem.

Explore further

Verizon Wireless to start selling first 4G phone

© 2011 PhysOrg.com

Citation: Some HTC Android phones found vulnerable to WiFi password leak (2012, February 2) retrieved 19 July 2019 from https://phys.org/news/2012-02-htc-android-vulnerable-wifi-password.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
0 shares

Feedback to editors

Relevant PhysicsForums posts

The Story behind the Apollo 11 and the 1202 Computer Error Code

13 hours ago

Getting cable TV on my laptop - i.e. sans Internet?

14 hours ago

I have finally re-entered the IT field yesterday

19 hours ago

Suggest a student laptop

Jul 17, 2019

What specs should I look for in a laptop

Jul 17, 2019

Multipurpose software that keeps C, Python, DSP, ... in the same file

Jul 16, 2019

More from Computing and Technology

User comments

Shifty0x88
Feb 02, 2012
Uh oh, I have one of those phones, but I am careful in downloading apps from the market.

I only download "trusted" apps, apps which have lots of downloads, are from good companies, and have a good reputation on the internet and from my friends.
0
Report Block
satcat
Feb 03, 2012
I also use an app (LBE Privacy Guard, free version) where you can restrict the rights for all the other applications.

However you need to root your phone, have Superuser app installed, and give LBE Privacy Guard full trust
0
Report Block

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Forgot Password
Registration