A new security vulnerability on select HTC smartphones is capable of leaking Wi-Fi credentials and SSID details to any application that has basic wireless permissions. The vulnerability was first publically noted yesterday by the U.S. Computer Emergency Readiness Team (US-CERT) despite being discovered by Chris Hessing, a senior engineer for CloudPath Networks, back in September.
Phones that are affected include:
- Desire HD (both "Ace" and "Spade" board revisions) - Versions FRG83D, GRI40
- Glacier - Version FRG83
- Droid Incredible - Version FRF91
- Thunderbolt 4G - Version FRG83D
- Sensation Z710e - Version GRI40
- Sensation 4G - Version GRI40
- Desire S - Version GRI40
- EVO 3D - Version GRI40
- EVO 4G - Version GRI40
HTC is already working on the problem and says that most of the affected phones have been patched as part of a regular update. Some phones, however, will need to have the patch installed manually. A notice on the company's website suggests that users check back next week for more information about the fix and the manual download if you need to update your phone.
Perhaps most disturbing is the fact that it took nearly four months from the time of discovery until the exploit was publically disclosed / partially patched. According to the timeline on Bret Jordan's blog, HTC Global and Google were first made aware of the issue on September 7, 2011. Perhaps this is standard protocol and there isn't much to worry about if the issue isn't publically known.
"Google has made changes to the Android code to help better protect the credential store and HTC has released updates for all currently supported phone and side-loads for all non-supported phone," noted Jordan. Additionally, Jordan says that Google has scanned all apps in the Android Market and discovered no applications exploiting it.