Researchers have discovered a serious data leak on HTC's Android smartphones because of problems in how information is logged and stored.
Due to a flaw in how HTC
devices log application data, any application that requests permission to get
Internet access can read various phone data such as call and Short Message Service
logs and a list of all user accounts saved, researchers found.
The modifications HTC made
in a version of the Android mobile operating system running on select devices
included an HTClogger application used for debugging and troubleshooting,
researchers at Android application enthusiast blog AndroidPolice
reported Oct. 1. According to the report, all the information collected by
HTCLogger is unsecured and accessible to any application installed on the
device that accesses the Internet.
Affected devices include
those with the "Sense" firmware installed, such as HTC EVO 3D, EVO
4G, ThunderBolt, MyTouch 4G Slide and Sensation, according to AndroidPolice.
A proof of concept is
available on the AndroidPolice
and users are encouraged to download it to see if their devices are affected.
"Theoretically, it may
be possible to clone a device using only a small subset of the information
leaked here," Artem Russakovskii, the blog's founder, wrote on AndroidPolice.
researchers were careful to point out the problem wasn't with Android,
but in the way HTC set up the logging suite. "It's like leaving your keys
under the mat and expecting nobody who finds them to unlock the door,"
claimed to have alerted HTC Sept. 24 to the issue but received
"no real response" from the phone manufacturer for five business days.
As a result, the researchers decided to make the information public to
"make things move a whole lot faster," Russakovskii wrote. Trevor
Eckhart, who found the vulnerability, publicized the findings Sept. 30.
In a recent update to some
of its devices, HTC introduced a suite of logging tools, which collected a lot
of information, such as the list of user accounts, including email addresses
and sync status for each, last known network and GPS locations, a limited
history of previous locations, phone numbers stored in the phone log, SMS data
and system logs.
The suite does not protect
the generated log file, making it trivial for an application to easily read the
information. It's not clear what the purpose of the logs is, but it may be for
debugging and troubleshooting purposes.
Other pieces of data, such
as active alerts in the notification bar, network information including the IP
address, running processes and list of installed applications, could also be
potentially leaked, according to Russakovskii.
"They expose such
ridiculously frivolous doings, [for] which HTC has no one else to blame but
itself," Russakovskii wrote.
Eckhart, Russakovskii and
Justin Case also uncovered the AndroidVNCServer application in the HTC suite.
The application appears to install a remote-access server by default, but is
turned off by default. However, researchers were concerned that the presence of
a remote-access server on the device opened up the possibility of a remote
attacker potentially getting access to the phone.
According to AndroidPolice,
there's not much users
with affected HTC devices can do beyond rooting the device to remove the
HTCLoggers application. Users can install custom firmware such as CyanogenMod
after rooting, or keep the original firmware in hopes HTC would fix the problem
and issue a new update.
HTC is supposedly looking
into the issue, although the company has not yet issued a statement.