Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

HTC Android phones can leak Wi-Fi passwords

Software updates available to counter problem

A group of HTC Android phones is susceptible to an exploit that can steal Wi-Fi credentials and passwords and send them to attackers.

The exploit relies on attackers creating rogue applications to take advantage of vulnerabilities in the Android build HTC uses on some of its phones, according to a post by the United States Computer Emergency Readiness Team (US-CERT).

Users with affected phones should go to HTC's support site for software updates, US-CERT says.

TIPS: Tricks for upgrading your Android phone 

The affected Android builds expose 802.1X passwords to applications on the phones that have permission to access the Wi-Fi state of the phone. The flaw doesn't allow access to the 802.1X settings themselves, it does allow viewing Wi-Fi credentials, according to a description of the flaw at the My War With Entropy blog by Bret Jordan.

So an application could gain access to stored SSIDs of Wi-Fi networks, user names and passwords. If the application also has Internet-access privileges, it could send along the stolen credentials to attackers.

If the stolen credentials are for corporate networks, they could be used to target data on those business networks, Jordan writes.

According to US-CERT, affected phones are:

  • Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
  • Glacier - Version FRG83
  • Droid Incredible - Version FRF91
  • Thunderbolt 4G - Version FRG83D
  • Sensation Z710e - Version GRI40
  • Sensation 4G - Version GRI40
  • Desire S - Version GRI40
  • EVO 3D - Version GRI40
  • EVO 4G - Version GRI40

HTC and Google were told about the flaw last September and have been working to fix the problem and arrange for public disclosure. Jordan describes the companies as responsive and good to work with.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: BlackBerry, CERT, G8, Google, HTC, IPS, LAN, Nokia
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: 802.1X, Android, android malware, consumer electronics, htc, networking, security, smartphones, wi-fi, wireless, WLANs / Wi-Fi
Latest Blog Posts
Whitepapers
  • Optimizing Storage and Protecting Data with Oracle Database 11g
    This paper focuses on key Oracle Database 11g capabilities that help IT departments better optimise their storage infrastructure, enabling administrators to deliver a cost-effective, scalable data management platform that is easy to manage, reduces costs, and protects data while continuing to deliver the performance and availability that today’s businesses require.
    Learn more »
  • Oracle SOA vs. IBM SOA - Customer Perspectives on Evaluating Complexity and Business Value
    The Service-Oriented Architecture (SOA) model has become the cornerstone of business computing. Its ability to greatly accelerate the development of business-critical applications promotes business agility, decreases time-to-value and total cost of ownership (TCO), and greatly increases the efficiency and strategic value of IT. SOA implementations tend to be complex, IT decision makers should carefully consider their choice of a SOA platform in terms of its ability to simplify the fundamental development, deployment, and management tasks involved. Read on.
    Learn more »
  • Best practices for implementing 2048-bit SSL
    Secure sockets layer (SSL) technology continues to be essential to the growth of the web. With unabated increases in ecommerce traffic along with transmission of personal information, SSL is no longer just a nice to have capability; it is an absolute necessity. The requirement to protect information is further heightened by the universal availability of easy-touse hacking tools such as Firesheep. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.