This leads us to the point of this article. It seems that some HTC phones leave your 802.1X Passwords and SSID information exposed. The flaw is not in all phones, but appears to be in certain builds of these phones (which makes us suspect the actual WiFi radios in combination with the software). What happens is that a WiFi enabled device can exploit an applications Internet connectivity to send commands to the affected phone. This causes a dump of the WiFi information to be sent to a remote server. The information sent can include enterprise level authentication data. We do not have confirmation if this exploit allows offloading of security certificates (many enterprise class networks use a combination of device certificates and password authentication), but this would be a serious concern if it does.

HTC does have a fix that patches the WiFi exploit which is a simple update to the phone. Although they do claim that most phones have already received the update, they also state that some phones will need manual updating. The problem is that they do not list what phones these are and do not have the manual patch ready for download and installation. We do have a very simple solution though, turn off WiFi when not needed or simply do not use the WiFi on your phone.  

The list of confirmed HTC phones is show below as found on Bret Jordan’s blog. Bret also warns that other HTC and non-HTC phones could be affected depending on what version of Android they are using.

Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
Glacier - Version FRG83
Droid Incredible - Version FRF91
Thunderbolt 4G - Version FRG83D
Sensation Z710e - Version GRI40
Sensation 4G - Version GRI40
Desire S - Version GRI40
EVO 3D - Version GRI40
EVO 4G - Version GRI40

We hope that HTC releases the manual patch soon and that other manufacturers begin to check their phones to ensure they are not affects as well.

Source US-CERT and Bret Jordan’s Blog My War With Entropy

Discuss this in our Forum