A serious vulnerability that affected the way some popular HTC Android phones handle 802.1x usernames, passwords, and SSIDs was disclosed publicly today by engineers Chris Hessing and Bret Jordan. The bug allowed applications with only an ACCESS_WIFI_STATE permission to read your Wi-Fi SSIDs, usernames, and, most importantly, passwords on at least the following devices:

  • Desire HD  (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
  • Glacier - Version FRG83
  • Droid Incredible - Version FRF91
  • Thunderbolt 4G - Version FRG83D
  • Sensation Z710e - Version GRI40
  • Sensation 4G - Version GRI40
  • Desire S - Version GRI40
  • EVO 3D - Version GRI40
  • EVO 4G - Version GRI40

Of course, if a malicious application also happens to have access to the Internet, SMS, or other means of sending out information, credentials could leak out from a vulnerable device to a remote location.

Before you freak out, however, know that the vulnerability was reported in private to both Google and HTC, who were then given ample time (over 4 months) to not only come up with fixes, but also roll them out to devices. Additionally, Google performed a full scan of all applications in the Market and found none that exploited this specific vulnerability.

Timeline
- 2012-02-01: Public disclosure
- 2012-01-31: Submit final public disclosure doc to HTC Global for feedback
- 2012-01-31: HTC publishes information via their web site
- 2012-01-20: Public disclosure ? postponed
- 2012-01-19: Discussion with HTC Global on their time schedule
- 2012-01-05: Conference call with HTC Global
- 2012-01-02: Public disclosure ? postponed
- 2011-12-05: Discussed public disclosure time frames with HTC and Google
- 2011-10-11: Updated all individuals and groups that are aware of the issue
- 2011-10-11: Follow-up conference call with HTC Global and Google
- 2011-09-19: Updated all individuals and groups that were aware of the issue
- 2011-09-19: Conference call with HTC Global and Google
- 2011-09-08: HTC and Google verified exploit
- 2011-09-07: Notified key government agencies and CERT under non-public disclosure
- 2011-09-07: Initial email and phone call with HTC Global and Google

Of course, it doesn't mean that every affected device is now sporting an updated build, as not everyone keeps up with the latest OTAs, and not every device is apparently capable of receiving one. In anticipation of these concerns, HTC published the following statement a day ahead of the public disclosure:

WiFi security fix

HTC has developed a fix for a small WiFi issue affecting some HTC phones. Most phones have received this fix already through regular updates and upgrades.However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone.

Combined with the massive vulnerability within HTC's logging software reported last year, one thing is obvious - pure Android is more secure than one with various OEM modifications we don't necessarily need or want (more code = more potential bugs). The perfect balance is hard to strike, as we all know, and while I completely understand the need for differentiation, issues like these will make such convincing harder to do. Add another vote for the Nexus line from me.

Source: MyWarWithEntropy, VU#763355, image via rgbfilter.com, thanks Justin!