TMCnet Feature

HTC has acknowledged that a security flaw exists in a variety of Android (News - Alert) handsets that leaves users' Wi-Fi credentials available to any interested hacker.

The company admitted to the vulnerability last week and has said that most handsets have already been remedied through over-the-air updates. However, some phones will need to be fixed manually, leaving a number of users out in the cold until HTC (News - Alert) rolls out a manual download later this week.

Adding to user frustration is this interesting little nugget: the bug was first discovered in September of 2011 by researchers Chris Hessing and Bret Jordan, who immediately made HTC aware of the situation. The researchers have been in contact with HTC and Google (News - Alert) over the past five months and, to the credit of both companies, said that they were both “very responsive and good to work with on this issue.”

HTC released a statement saying that it kept quiet on the issue for the past few months to “protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected.”

Still, five months is a long time; the “minor” issue could have been fairly major if hackers had gotten wind of the flaw. Hessing and Jordan said that any application with basic Wi-Fi permissions could access a user's Wi-Fi credentials – including user names, passwords, and SSID information – and send them to a remote server.

“This exploit exposes enterprise-privileged credentials in a manner that allows targeted exploitation,” they noted in a blog post.

However, the researchers said that Google completed a code scan of every application in the Android Market and found no applications with the potential to exploit this vulnerability.

The two confirmed that the following devices contain the security flaw, although they admit that other models, including some non-HTC handsets, could be vulnerable.
 

• Desire HD (both “ace” and “spade” board revisions) - Versions FRG83D, GRI40
• Glacier - Version FRG83
• Droid Incredible - Version FRF91
• Thunderbolt 4G - Version FRG83D
• Sensation Z710e - Version GRI40
• Sensation 4G - Version GRI40
• EVO 3D - Version GRI40
• EVO 4G - Version GRI40
• Glacier - Version FRG83

If you are using one of these devices and haven't received an update, it's probably best to turn off your Wi-Fi or at least refrain from downloading any third-party apps. 

Beecher Tuttle is a TMCnet contributor. He has extensive experience writing and editing for print publications and online news websites. He has specialized in a variety of industries, including health care technology, politics and education. To read more of his articles, please visit his columnist page.

Edited by Jennifer Russell