What is up with smartphones and their knack for having so many vulnerabilities just waiting to be exploited?
HTC is the latest smartphone maker to acknowledge a vulnerability in their software that allows a user’s Wi-Fi password and SSID to to be stolen by a malicious application runnning on the phone according to Bret Jordan’s blog that first revealed the issue.
Thankfully, HTC has rolled out an update to several phones. Some phones, however, will need to be manually updated. HTC promises more details on the update next week according to PC Mag.
Chris Hessing and Bret Jordan were the first to report the vulnerability to CERT. The CERT Web site describes the vulnerability as such:
Any Android application on an affected HTC build with the android.permission.ACCESS_WIFI_STATE permission can use the .toString() member of theWifiConfiguration class to view all 802.1X credentials and SSID information. If the same application also has the android.permission.INTERNETpermission then that application can harvest the credentials and exfiltrate them to a server on the Internet.
The vulnerability affects only a certain number of HTC phones including the Desire HD, Glacier, Droid Incredible, Thunderbolt 4G, Sensation Z710e, Sensation 4G, Desire S, EVO 3D and EVO 4G. The MyTouch 3G and Nexus One are not affected.
If your phone is one of those listed above, you can download an update starting next week from the HTC help page.
HTC just can’t seem to catch a break. We reported last December that HTC had many of their phones banned from being sold in the U.S. after a successful patent lawsuit from Apple. HTC had to remove the offending feature from all of their phones.
Once again, these kind of problems will always come up with smartphones as they move towards being more computer-like. People will attempt to exploit their weaknesses while manufacturers will attempt to patch them as they come up. Just remember to be smart and safe with your smartphones by not storing a lot of personal information, like Wi-Fi passwords, on them.