A serious vulnerability that affected the way some popular HTC Android phones handle 802.1x usernames, passwords, and SSIDs was disclosed publicly today by engineers Chris Hessing and Bret Jordan. The bug allowed applications with only an ACCESS_WIFI_STATE permission to read your Wi-Fi SSIDs, usernames, and, most importantly, passwords on at least the following devices:

  • Desire HD  (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
  • Glacier - Version FRG83
  • Droid Incredible - Version FRF91
  • Thunderbolt 4G - Version FRG83D
  • Sensation Z710e - Version GRI40
  • Sensation 4G - Version GRI40
  • Desire S - Version GRI40
  • EVO 3D - Version GRI40
  • EVO 4G - Version GRI40

Of course, if a malicious application also happens to have access to the Internet, SMS, or other means of sending out information, credentials could leak out from a vulnerable device to a remote location.

Before you freak out, however, know that the vulnerability was reported in private to both Google and HTC, who were then given ample time (over 4 months) to not only come up with fixes, but also roll them out to devices. Additionally, Google performed a full scan of all applications in the Market and found none that exploited this specific vulnerability.

- 2012-02-01: Public disclosure
- 2012-01-31: Submit final public disclosure doc to HTC Global for feedback
- 2012-01-31: HTC publishes information via their web site
- 2012-01-20: Public disclosure ? postponed
- 2012-01-19: Discussion with HTC Global on their time schedule
- 2012-01-05: Conference call with HTC Global
- 2012-01-02: Public disclosure ? postponed
- 2011-12-05: Discussed public disclosure time frames with HTC and Google
- 2011-10-11: Updated all individuals and groups that are aware of the issue
- 2011-10-11: Follow-up conference call with HTC Global and Google
- 2011-09-19: Updated all individuals and groups that were aware of the issue
- 2011-09-19: Conference call with HTC Global and Google
- 2011-09-08: HTC and Google verified exploit
- 2011-09-07: Notified key government agencies and CERT under non-public disclosure
- 2011-09-07: Initial email and phone call with HTC Global and Google

Of course, it doesn't mean that every affected device is now sporting an updated build, as not everyone keeps up with the latest OTAs, and not every device is apparently capable of receiving one. In anticipation of these concerns, HTC published the following statement a day ahead of the public disclosure:

WiFi security fix

HTC has developed a fix for a small WiFi issue affecting some HTC phones. Most phones have received this fix already through regular updates and upgrades.However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone.

Combined with the massive vulnerability within HTC's logging software reported last year, one thing is obvious - pure Android is more secure than one with various OEM modifications we don't necessarily need or want (more code = more potential bugs). The perfect balance is hard to strike, as we all know, and while I completely understand the need for differentiation, issues like these will make such convincing harder to do. Add another vote for the Nexus line from me.

Source: MyWarWithEntropy, VU#763355, image via rgbfilter.com, thanks Justin!

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • Simon Belmont

    Yep. This really should be fixed and it's long been a problem and not just with Wi-Fi credentials.

    Just last week I read about it on a few forums. I checked my Sprint HTC Hero, in the right place using a root access file explorer and found the file that contains the information outlined in this article. It's there in plain text. I also noticed that the stock IM client stores the user name and password in plain text on the Sprint HTC Hero as well.

    • Simon Belmont

      Okay, what I stated above is a slightly different scenario than what the article mentions. However, what I said is true.

      The Sprint HTC Hero DOES store that information in plain text in the files that I found. If you aren't rooted this is not a huge deal, but a root app could potentially grab that information. I am not sure if this problem exists in newer handsets. If it does, it should be fixed.

  • Big Jim

    Can anyone confirm that this is a Sense (or at least HTC's ROM) bug, and that those of us running CM7 are not affected?

  • tommy

    yep this is a sense issue

  • HctrDvd

    Hi! I have an HTC Sensation 4G, How do I know if I recieve the fix update?

  • HctrDvd

    Hi again! Where can I find the version of my HTC Sensation 4G?

  • elias

    more poor code = definitely more bugs
    OEMs should stop this shit altogether. "Differentiation" became a synonym for bugs, exploits, crapware and sluggish interfaces