HTC Working on fix for WiFi Vulnerability They Found and Shared Themselves

dgstorm

Editor in Chief
Staff member
Premium Member
Joined
Dec 30, 2010
Messages
10,991
Reaction score
3,961
Location
Austin, TX
htc_wifi_logo_combo.png

The folks at HTC were very forthcoming recently. Apparently, one of their own engineers found a security vulnerability that has been inherent in most HTC Android devices for quite some time. The company is working on a fix, but also wanted to share it with the community. It shouldn't be surprising that they did, as it is their responsibility, but it is refreshing, nonetheless, that they are trying to deal with it publicly by giving full disclosure.

The problem could allow applications with just an ACCESS_WIFI_STATE permission to read your Wi-Fi SSIDs, usernames, and, even passwords. The vulnerability was found on at least the following devices, but could be on more:
  • Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
  • Glacier - Version FRG83
  • Droid Incredible - Version FRF91
  • Thunderbolt 4G - Version FRG83D
  • Sensation Z710e - Version GRI40
  • Sensation 4G - Version GRI40
  • Desire S - Version GRI40
  • EVO 3D - Version GRI40
  • EVO 4G - Version GRI40
They have actually been working hand in hand with Google to fix the issue for the last few months, and already have a fix for it. In fact, many of the devices already received the fix through an OTA update. The company wanted to make sure to comply with the ethics of full disclosure, so they shared the following info:
Timeline
- 2012-02-01: Public disclosure
- 2012-01-31: Submit final public disclosure doc to HTC Global for feedback
- 2012-01-31: HTC publishes information via their web site
- 2012-01-20: Public disclosure ? postponed
- 2012-01-19: Discussion with HTC Global on their time schedule
- 2012-01-05: Conference call with HTC Global
- 2012-01-02: Public disclosure ? postponed
- 2011-12-05: Discussed public disclosure time frames with HTC and Google
- 2011-10-11: Updated all individuals and groups that are aware of the issue
- 2011-10-11: Follow-up conference call with HTC Global and Google
- 2011-09-19: Updated all individuals and groups that were aware of the issue
- 2011-09-19: Conference call with HTC Global and Google
- 2011-09-08: HTC and Google verified exploit
- 2011-09-07: Notified key government agencies and CERT under non-public disclosure
- 2011-09-07: Initial email and phone call with HTC Global and Google

WiFi security fix

HTC has developed a fix for a small WiFi issue affecting some HTC phones. Most phones have received this fix already through regular updates and upgrades.However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone.

It's interesting to note that this security vulnerability probably wouldn't have existed had HTC simply put a stock version of Android on their phones. I understand the desire of the various OEMs to differentiate their products from the competition by making them "seem" different with custom UI's; however, this is another case which clearly indicates it would better serve these companies and their consumers to stick to as close to a stock Android experience as possible.

Source: AndroidPolice
 
If they didn't report it, and a consumer/hacker figured it out, they would have a much worse PR problem. It's always best to come out and tell em somethings wrong and you're working on a fix, than try to keep it quiet and hope some random consumer doesn't light up the internet with how much of a security vulnerability it is and blow it out of proportion.

Lucky for me, I hardly ever turn on WiFi on my tbolt, this issue doesn't bother me too much.
 
Can somebody confirm that the Thunderbolt is still supported by HTC, because under their help link I didn't see it listed after checking the entire HTC lineup twice.
 
Can somebody confirm that the Thunderbolt is still supported by HTC, because under their help link I didn't see it listed after checking the entire HTC lineup twice.
I suspect htc.com isn't supporting the U.S at all. I tried to sign up for news notifications on the site. The signup form requires selecting your region. U.S. is NOT listed.
 
Back
Top