Information Security all in one place!

802.1X password exploit on many HTC Android devices

802.1X password exploit on many HTC Android devices

Please read carefully:

There is an issue in certain HTC builds of Android that can expose the
user’s 802.1X Wi-Fi credentials to any program with basic WI-FI
permissions.  When this is paired with the Internet access
permissions, which most applications have, an application could easily
send all stored Wi-Fi network credentials (user names, passwords, and
SSID information) to a remote server.  This exploit exposes
enterprise-privileged credentials in a manner that allows targeted
exploitation.

Severity: Critical

Device Vendor : HTC

Confirmed Devices with vulnerability:

Desire HD  (both “ace” and “spade” board revisions) – Versions FRG83D, GRI40
Glacier – Version FRG83
Droid Incredible – Version FRF91
Thunderbolt 4G – Version FRG83D
Sensation Z710e – Version GRI40
Sensation 4G – Version GRI40

English: Wordmark of HTC. Trademarked by HTC.

Image via Wikipedia

Desire S – Version GRI40
EVO 3D – Version GRI40
EVO 4G – Version GRI40

Vulnerability Details:  

There is an issue in certain HTC builds of Android that can expose the
user’s 802.1X password to any program with the
“android.permission.ACCESS_WIFI_STATE” permission. When paired with
the “android.permission.INTERNET” permission, an app could easily send
user names and passwords to a remote server for collection. In
addition, if the SSID is an identifiable SSID (“Sample University” or
“Enterprise XYZ”), this issue exposes enterprise-privileged
credentials in a manner that allows targeted exploitation.

Although the published Android APIs don’t provide access to the 802.1X
settings, it is possible to view the settings with the .toString()
member of the WifiConfiguration class. The resulting output will look
something like this:

* ID: 2 SSID: “ct” BSSID: null PRIO: 16
KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN
AuthAlgorithms:
PairwiseCiphers: CCMP
GroupCiphers: WEP40 WEP104 TKIP CCMP
PSK:
eap: PEAP
phase2: auth=MSCHAPV2
identity: [Your User Name]
anonymous_identity:
password:
client_cert:
private_key:
ca_cert: keystore://CACERT_ct

On most Android devices, the password field is either left blank, or
simply populated with a “*” to indicate that a password is present.
However, on affected HTC devices, the password field contains the
actual user password in clear text.

This is sample output from a Sprint EVO running Android 2.3.3:
* ID: 0 SSID: “wpa2eap” BSSID: null PRIO: 21
KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN
AuthAlgorithms:
PairwiseCiphers: CCMP
GroupCiphers: WEP40 WEP104 TKIP CCMP
PSK:
eap: TTLS
phase2: auth=PAP
identity: test
anonymous_identity:
password: test
client_cert:
private_key:
ca_cert: keystore://CACERT_wpa2eap

Updating and more help can be found here:

Google has made changes to the Android code to help better
protect the credential store and HTC has released updates for all
currently supported phone and side-loads for all non-supported phone.

Android Market

Image via Wikipedia

Customer with affected versions can find information from HTC about
updating their phone at: http://www.htc.com/www/help/

Google has also done a code scan of every application currently in the
Android Market and there are no applications currently exploiting this
vulnerability.

Additional Contacts and Credit:

Credit: Chris Hessing from The Open1X Group (http://www.open1x.org) who is
currently working on Android, iOS, Windows, Mac OSX, and Linux 802.1X
tools for Cloudpath Networks (http://www.cloudpath.net/) discovered
this password exploit.

Contacts:

Chris Hessing
Senior Engineer, Cloudpath Networks (chris.hessing@cloudpath.net)
Chief Architect, Open1X Group (chris@open1x.org)
Bret Jordan CISSP
Senior Security Architect, Open1X Group (jordan@open1x.org)

Advertisements

Let's hear what you have to say.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s