search menu icon-carat-right cmu-wordmark

CERT Coordination Center


802.1X password exploit on many HTC Android devices

Vulnerability Note VU#763355

Original Release Date: 2012-02-01 | Last Revised: 2012-02-01

Overview

A user's 802.1X WiFi credentials and SSID information may be exposed to any application with basic WiFi permissions on certain HTC builds of Android.

Description

Any Android application on an affected HTC build with the android.permission.ACCESS_WIFI_STATE permission can use the .toString() member of the WifiConfiguration class to view all 802.1X credentials and SSID information. If the same application also has the android.permission.INTERNET permission then that application can harvest the credentials and exfiltrate them to a server on the Internet.

The following devices have been reported as affected:

    • Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
    • Glacier - Version FRG83
    • Droid Incredible - Version FRF91
    • Thunderbolt 4G - Version FRG83D
    • Sensation Z710e - Version GRI40
    • Sensation 4G - Version GRI40
    • Desire S - Version GRI40
    • EVO 3D - Version GRI40
    • EVO 4G - Version GRI40

The following devices have been reported as not affected:
    • myTouch3g
    • Nexus One
Additional details can be found in Bret Jordan's blog post.

Impact

An attacker may be able to view and exfiltrate WiFi SSID information and credentials.

Solution

Apply an Update
Users with an affected HTC phone should visit the HTC support site for instructions on how to update their phone. In some cases, the update will be automatically delivered to the phone.

Vendor Information

763355
Expand all

HTC

Updated:  February 01, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

31 January 2012

HTC has developed a fix for a small WiFi issue affecting some HTC phones. Most phones have received this fix already through regular updates and upgrades. However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone.

Vendor References

http://www.htc.com/www/help/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Chris Hessing and Bret Jordan for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2011-4872
Severity Metric: 1.23
Date Public: 2012-02-01
Date First Published: 2012-02-01
Date Last Updated: 2012-02-01 15:49 UTC
Document Revision: 18

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.