HTC Android phones can leak Wi-Fi passwords
- 02 February, 2012 07:19
- Comments
A group of HTC Android phones is susceptible to an exploit that can steal Wi-Fi credentials and passwords and send them to attackers.
The exploit relies on attackers creating rogue applications to take advantage of vulnerabilities in the Android build HTC uses on some of its phones, according to a post by the United States Computer Emergency Readiness Team (US-CERT).
Users with affected phones should go to HTC's support site for software updates, US-CERT says.
TIPS: Tricks for upgrading your Android phone
The affected Android builds expose 802.1X passwords to applications on the phones that have permission to access the Wi-Fi state of the phone. The flaw doesn't allow access to the 802.1X settings themselves, it does allow viewing Wi-Fi credentials, according to a description of the flaw at the My War With Entropy blog by Bret Jordan.
So an application could gain access to stored SSIDs of Wi-Fi networks, user names and passwords. If the application also has Internet-access privileges, it could send along the stolen credentials to attackers.
If the stolen credentials are for corporate networks, they could be used to target data on those business networks, Jordan writes.
According to US-CERT, affected phones are:
- Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
- Glacier - Version FRG83
- Droid Incredible - Version FRF91
- Thunderbolt 4G - Version FRG83D
- Sensation Z710e - Version GRI40
- Sensation 4G - Version GRI40
- Desire S - Version GRI40
- EVO 3D - Version GRI40
- EVO 4G - Version GRI40
HTC and Google were told about the flaw last September and have been working to fix the problem and arrange for public disclosure. Jordan describes the companies as responsive and good to work with.
Read more about wide area network in Network World's Wide Area Network section.
- Bookmark this page
- Share this article
- Got more on this story? Email TechWorld
- Follow TechWorld on twitter
- HTC, Nokia to offer first LTE Windows Phones on AT&T
- More Android users take phones into bathroom than do iPhone, BlackBerry users
- 8 useful Google Android resources
- US-CERT Vulnerability Note VU#763355 - 802.1X password exploit on many HTC Android devices
- HTC Help Center
- Tips and tricks for upgrading your Android phone
- My War with Entropy: 802.1X password exploit on many HTC Android devices
- LAN & WAN Research Center - Network World
- Advanced Malware Exposed - How advanced malware, zero-day and targeted APT attacks are evading today's network defences
- Email Encryption/Decryption and Signing integrated into a comprehensive content security solution
- Government Communications 2.0
- The Need for DLP (data leak prevention) now
- HP VirtualSystem VS1 for VMware - Virtualised environments made faster and easier
-
CSIRO develops hands-free technology for mining repairs
-
Broadband Forum to improve IPTV performance with new spec
-
Amazon Web Services moves backups to cloud with new appliance
-
Callforfree.net.au offers free calls to 70 countries
-
Intel ponders solar-powered CPU tech in graphics, memory
-
Office 2007 for Dummies
-
MYOB Software for Dummies 6E Australian Edition
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Teach Yourself Visually Windows 7
-
Office 2007 All-In-One Desk Reference for Dummies
-
Windows 7 for Seniors for Dummies®
-
Windows 7 for Dummies® Dvd+book Bundle
-
Windows 7 for Dummies®
-
Computers for Seniors for Dummies, 2nd Edition
Comments
Post new comment