HTC's Help page advised users of the issue, which can be resolved through an automatic software upgrade, though some users will have to update manually.
Smartphone manufacturer HTC
admitted several of its phones running Google's Android operating system have a
security flaw that allows hackers or an application to view and access WiFi
security information. The affected phones include the Desire HD, the Glacier,
the Droid Incredible, the ThunderBolt, the Sensation, the Sensation 4G, the
Desire S, the EVO 3D and the EVO 4G.
This week, the company
posted a message on the Help page of its Website to inform affected users,
although the company has known about the issue since September 2011 and was
working with Chris Hessing, a senior engineer with Cloudpath Networks and Bret
Jordan, a senior security architect with Open1X Group to provide a fix for the
security flaw, which was labeled "critical" in a blog post from Jordan.
"Certain HTC builds of
Android can expose the user's 802.1X WiFi credentials to any program with basic
WiFi permissions," the post
states. "When this is paired with the Internet access permissions, which most
applications have, an application could easily send all stored WiFi network
credentials (user names, passwords, and SSID [Service Set Identifier] information)
to a remote server. This exploit exposes enterprise-privileged credentials in a
manner that allows targeted exploitation."
HTC's Help page advised
users of the issue, which can be resolved through an automatic software
upgrade, though some users will have to upgrade manually. The blog states
Google has done a code scan of every application currently in the Android
Market, and there are no applications currently exploiting this vulnerability.
"HTC has developed a
fix for a small WiFi issue affecting some HTC phones. Most phones have received
this fix already through regular updates and upgrades," read the statement.
"However, some phones will need to have the fix manually loaded. Please check
back next week for more information about this fix and a manual download if you
need to update your phone."
The National Cyber Security
Alliance (NCSA), a nonprofit public-private partnership focused on cyber-security
awareness, recently released the results of a survey of consumer attitudes and
behaviors toward mobile privacy and security. When it comes to specific
security threats, every potential threat evoked concern, but 78 percent of
smartphone users are particularly concerned about their lost or stolen phone
falling into the wrong hands and its contents being misused. Users were most
concerned about losing their password data (67 percent), but would be most
willing to add security to protect the banking and other financial data on
Mobile threats exploded in
2011, according to an October report from IBM. Of the 24 mobile operating system
vulnerabilities seen in the first half of 2011, at least half involved
easy-to-exploit security holes that allowed attackers to launch arbitrary code
execution attacks on the target device. Almost all the flaws involved client
software remote-code-execution vulnerabilities that exposed users to
drive-by-download attacks from malicious Websites, the report found.
Nathan Eddy is Associate Editor, Midmarket, at eWEEK.com. Before joining eWEEK.com, Nate was a writer with ChannelWeb and he served as an editor at FierceMarkets. He is a graduate of the Medill School of Journalism at Northwestern University.