The folks at HTC were very forthcoming recently. Apparently, one of their own engineers found a security vulnerability that has been inherent in most HTC Android devices for quite some time. The company is working on a fix, but also wanted to share it with the community. It shouldn't be surprising that they did, as it is their responsibility, but it is refreshing, nonetheless, that they are trying to deal with it publicly by giving full disclosure.
The problem could allow applications with just an ACCESS_WIFI_STATE permission to read your Wi-Fi SSIDs, usernames, and, even passwords. The vulnerability was found on at least the following devices, but could be on more:
- Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
- Glacier - Version FRG83
- Droid Incredible - Version FRF91
- Thunderbolt 4G - Version FRG83D
- Sensation Z710e - Version GRI40
- Sensation 4G - Version GRI40
- Desire S - Version GRI40
- EVO 3D - Version GRI40
- EVO 4G - Version GRI40
They have actually been working hand in hand with Google to fix the issue for the last few months, and already have a fix for it. In fact, many of the devices already received the fix through an OTA update. The company wanted to make sure to comply with the ethics of full disclosure, so they shared the following info:
Timeline
- 2012-02-01: Public disclosure
- 2012-01-31: Submit final public disclosure doc to HTC Global for feedback
- 2012-01-31: HTC publishes information via their web site
- 2012-01-20: Public disclosure ? postponed
- 2012-01-19: Discussion with HTC Global on their time schedule
- 2012-01-05: Conference call with HTC Global
- 2012-01-02: Public disclosure ? postponed
- 2011-12-05: Discussed public disclosure time frames with HTC and Google
- 2011-10-11: Updated all individuals and groups that are aware of the issue
- 2011-10-11: Follow-up conference call with HTC Global and Google
- 2011-09-19: Updated all individuals and groups that were aware of the issue
- 2011-09-19: Conference call with HTC Global and Google
- 2011-09-08: HTC and Google verified exploit
- 2011-09-07: Notified key government agencies and CERT under non-public disclosure
- 2011-09-07: Initial email and phone call with HTC Global and Google
WiFi security fix
HTC has developed a fix for a small WiFi issue affecting some HTC phones. Most phones have received this fix already through regular updates and upgrades.However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone.
It's interesting to note that this security vulnerability probably wouldn't have existed had HTC simply put a stock version of Android on their phones. I understand the desire of the various OEMs to differentiate their products from the competition by making them "seem" different with custom UI's; however, this is another case which clearly indicates it would better serve these companies and their consumers to stick to as close to a stock Android experience as possible.
Source:
AndroidPolice
