Android Powered HTC Phones Can Leak Wi-Fi Passwords
(picture from GadgetSteria)
Whoops! Now this isn't very cool, especially considering that I personally own an HTC Sensation! According to reports, and now a direct confirmation from HTC, specific HTC phones are susceptible to an exploit that can steal Wi-Fi credentails and passwords, and send them to hackers.
Well poo. Apparently, this exploit depends on attackers creating rogue applications that take advantage of holes in the Android build that HTC uses on many of its devices. Security researcher Breta Jordan stated that the flaw doesn't allow access to the 802.1X settings themselves, but does allow viewing Wi-Fi credentials, which basically means that an app could get access to SSIDs of Wifi networks, along with user names and passwords.
So far, the affected phones are as follows:
• Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
• Glacier - Version FRG83
• Droid Incredible - Version FRF91
• Thunderbolt 4G - Version FRG83D
• Sensation Z710e - Version GRI40
• Sensation 4G - Version GRI40
• Desire S - Version GRI40
• EVO 3D - Version GRI40
• EVO 4G - Version GRI40
Jordan goes on to say that Google and HTC were told about the flaw in September, and are working on a fix together. He also went on to say that both companies are taking the issue seriously and are very responsive.
HTC's official statement regarding the issue was:
"HTC has developed a fix for a small WiFi issue affecting some HTC phones. Most phones have received this fix already through regular updates and upgrades. However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone“.
It's good to see that the issue is being addressed. But just to be on the safe side, if your using any of the affected phones, it might be a good idea to change your Wi-Fi password. If your running one of the affected phones, you should head over to HTC's support site for software updates.