Wifi Passwords Leaking On Select HTC Smart Phones
Mobile security researchers discovered a “critical” bug in several models of HTC Android handsets that could expose users´ wifi credentials to any hacker who cared to look, reports Sharif Sakr for Engadget. The flaw was discovered in September of last year.
The list of affected phones includes the Desire HD (including the “ace” and “spade” board revisions), the HTC Glacier, the Droid Incredible, Thunderbolt 4G, Sensation Z710e, Sensation 4G (slideshow below), Desire S, EVO 3D, and EVO 4G, according to the published data. The MyTouch 3G and Nexus One are not affected.
The researchers, Chris Hessing and Bret Jordan, promptly notified HTC, however the manufacturer waited a full five months before acknowledging the flaw publicly a few days ago.
HTC has clarified that this is standard policy to protect customers, and says it waited to develop a fix before it alerted the greater community to the vulnerability, including hackers, who would have jumped on the vulnerability.
Most newer devices have already received their fix via standard updates, but owners of some older phones will need to check the HTC Support site for a manual update as soon as it is available, most likely next week, reports Matt Brian for The Next Web.
The researchers found that any Android application on an affected HTC handset with the android.permission.ACCESS_WIFI_STATE permission would be able to call upon the .toString() command in the WifiConfiguration class to view all credentials of a wifi network. If combined with the android.permission.INTERNET permission, attackers could then harvest the details and send them to a remote server on the internet.
The hack requires the user installing an application that had been specifically designed to harvest details or was uploaded to the Android Market with the specific aim of collecting information. The impact may have been small in the fact that such an app will not see the reach as a more popular app but the security risk does exist.
HTC does not need more headaches right now, having already suffered a major setback with its fight against Apple, which successfully persuaded the US ITC from importing HTC phones that use a data-tapping patent, writes Mark Hachman for PC Mag.
That patent allows users viewing a web page with a phone number embedded in it to tap that number and dial it via the dialing application. HTC said it would remove that feature from all of its phones.
Late last year, an update to several Android-based HTC devices resulted in the installation of tools that could collect a vast amount of personal data without permission. HTC and the carriers eventually rolled out a fix.
On the Net: