Do your updates! This one is nasty.
February 1, 2012
--------------------------------------------------------------------------------
Subject
--------------------------------------------------------------------------------
802.1X password exploit on many HTC Android devices
--------------------------------------------------------------------------------
Abstract
--------------------------------------------------------------------------------
There is an issue in certain HTC builds of Android that can expose the user's 802.1X Wi-Fi credentials to any program with basic WI-FI permissions. When this is paired with the Internet access permissions, which most applications have, an application could easily send all stored Wi-Fi network credentials (user names, passwords, and SSID information) to a remote server. This exploit exposes enterprise-privileged credentials in a manner that allows targeted exploitation.
--------------------------------------------------------------------------------
Affected Vendors:
--------------------------------------------------------------------------------
HTC
--------------------------------------------------------------------------------
Affected Versions:
--------------------------------------------------------------------------------
We have verified the following devices as having this issue (there may be others including some non-HTC phones):
Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40 Glacier - Version FRG83 Droid Incredible - Version FRF91 Thunderbolt 4G - Version FRG83D Sensation Z710e - Version GRI40 Sensation 4G - Version GRI40 Desire S - Version GRI40 EVO 3D - Version GRI40 EVO 4G - Version GRI40
--------------------------------------------------------------------------------
Non-Affected Versions:
--------------------------------------------------------------------------------
myTouch3g (Appears to run either unmodified, or only lightly modified Android build) Nexus One (Runs unmodified Android build)
--------------------------------------------------------------------------------
Severity
--------------------------------------------------------------------------------
Critical
--------------------------------------------------------------------------------
See also
--------------------------------------------------------------------------------
CVE ID: CVE-2011-4872
--------------------------------------------------------------------------------
Timeline:
--------------------------------------------------------------------------------
- 2012-02-01: Public disclosure
- 2012-01-31: Submit final public disclosure doc to HTC Global for feedback
- 2012-01-31: HTC publishes information via their web site
- 2012-01-20: Public disclosure ? postponed
- 2012-01-19: Discussion with HTC Global on their time schedule
- 2012-01-05: Conference call with HTC Global
- 2012-01-02: Public disclosure ? postponed
- 2011-12-05: Discussed public disclosure time frames with HTC and Google
- 2011-10-11: Updated all individuals and groups that are aware of the issue
- 2011-10-11: Follow-up conference call with HTC Global and Google
- 2011-09-19: Updated all individuals and groups that were aware of the issue
- 2011-09-19: Conference call with HTC Global and Google
- 2011-09-08: HTC and Google verified exploit
- 2011-09-07: Notified key government agencies and CERT under non-public disclosure
- 2011-09-07: Initial email and phone call with HTC Global and Google
--------------------------------------------------------------------------------
Vulnerability Details:
--------------------------------------------------------------------------------
There is an issue in certain HTC builds of Android that can expose the user's 802.1X password to any program with the "android.permission.ACCESS_WIFI_STATE" permission. When paired with the "android.permission.INTERNET" permission, an app could easily send user names and passwords to a remote server for collection. In addition, if the SSID is an identifiable SSID ("Sample University" or "Enterprise XYZ"), this issue exposes enterprise-privileged credentials in a manner that allows targeted exploitation.
Although the published Android APIs don't provide access to the 802.1X settings, it is possible to view the settings with the .toString() member of the WifiConfiguration class. The resulting output will look something like this:
* ID: 2 SSID: "ct" BSSID: null PRIO: 16
KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN
AuthAlgorithms:
PairwiseCiphers: CCMP
GroupCiphers: WEP40 WEP104 TKIP CCMP
PSK:
eap: PEAP
phase2: auth=MSCHAPV2
identity: [Your User Name]
anonymous_identity:
password:
client_cert:
private_key:
ca_cert: keystore://CACERT_ct
On most Android devices, the password field is either left blank, or simply populated with a "*" to indicate that a password is present.
However, on affected HTC devices, the password field contains the actual user password in clear text.
This is sample output from a Sprint EVO running Android 2.3.3:
* ID: 0 SSID: "wpa2eap" BSSID: null PRIO: 21
KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN
AuthAlgorithms:
PairwiseCiphers: CCMP
GroupCiphers: WEP40 WEP104 TKIP CCMP
PSK:
eap: TTLS
phase2: auth=PAP
identity: test
anonymous_identity:
password: test
client_cert:
private_key:
ca_cert: keystore://CACERT_wpa2eap
--------------------------------------------------------------------------------
Vendor Response
--------------------------------------------------------------------------------
Google and HTC have been very responsive and good to work with on this issue. Google has made changes to the Android code to help better protect the credential store and HTC has released updates for all currently supported phone and side-loads for all non-supported phone.
Customer with affected versions can find information from HTC about updating their phone at: http://www.htc.com/www/help/
Google has also done a code scan of every application currently in the Android Market and there are no applications currently exploiting this vulnerability.
February 1, 2012
--------------------------------------------------------------------------------
Subject
--------------------------------------------------------------------------------
802.1X password exploit on many HTC Android devices
--------------------------------------------------------------------------------
Abstract
--------------------------------------------------------------------------------
There is an issue in certain HTC builds of Android that can expose the user's 802.1X Wi-Fi credentials to any program with basic WI-FI permissions. When this is paired with the Internet access permissions, which most applications have, an application could easily send all stored Wi-Fi network credentials (user names, passwords, and SSID information) to a remote server. This exploit exposes enterprise-privileged credentials in a manner that allows targeted exploitation.
--------------------------------------------------------------------------------
Affected Vendors:
--------------------------------------------------------------------------------
HTC
--------------------------------------------------------------------------------
Affected Versions:
--------------------------------------------------------------------------------
We have verified the following devices as having this issue (there may be others including some non-HTC phones):
Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40 Glacier - Version FRG83 Droid Incredible - Version FRF91 Thunderbolt 4G - Version FRG83D Sensation Z710e - Version GRI40 Sensation 4G - Version GRI40 Desire S - Version GRI40 EVO 3D - Version GRI40 EVO 4G - Version GRI40
--------------------------------------------------------------------------------
Non-Affected Versions:
--------------------------------------------------------------------------------
myTouch3g (Appears to run either unmodified, or only lightly modified Android build) Nexus One (Runs unmodified Android build)
--------------------------------------------------------------------------------
Severity
--------------------------------------------------------------------------------
Critical
--------------------------------------------------------------------------------
See also
--------------------------------------------------------------------------------
CVE ID: CVE-2011-4872
--------------------------------------------------------------------------------
Timeline:
--------------------------------------------------------------------------------
- 2012-02-01: Public disclosure
- 2012-01-31: Submit final public disclosure doc to HTC Global for feedback
- 2012-01-31: HTC publishes information via their web site
- 2012-01-20: Public disclosure ? postponed
- 2012-01-19: Discussion with HTC Global on their time schedule
- 2012-01-05: Conference call with HTC Global
- 2012-01-02: Public disclosure ? postponed
- 2011-12-05: Discussed public disclosure time frames with HTC and Google
- 2011-10-11: Updated all individuals and groups that are aware of the issue
- 2011-10-11: Follow-up conference call with HTC Global and Google
- 2011-09-19: Updated all individuals and groups that were aware of the issue
- 2011-09-19: Conference call with HTC Global and Google
- 2011-09-08: HTC and Google verified exploit
- 2011-09-07: Notified key government agencies and CERT under non-public disclosure
- 2011-09-07: Initial email and phone call with HTC Global and Google
--------------------------------------------------------------------------------
Vulnerability Details:
--------------------------------------------------------------------------------
There is an issue in certain HTC builds of Android that can expose the user's 802.1X password to any program with the "android.permission.ACCESS_WIFI_STATE" permission. When paired with the "android.permission.INTERNET" permission, an app could easily send user names and passwords to a remote server for collection. In addition, if the SSID is an identifiable SSID ("Sample University" or "Enterprise XYZ"), this issue exposes enterprise-privileged credentials in a manner that allows targeted exploitation.
Although the published Android APIs don't provide access to the 802.1X settings, it is possible to view the settings with the .toString() member of the WifiConfiguration class. The resulting output will look something like this:
* ID: 2 SSID: "ct" BSSID: null PRIO: 16
KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN
AuthAlgorithms:
PairwiseCiphers: CCMP
GroupCiphers: WEP40 WEP104 TKIP CCMP
PSK:
eap: PEAP
phase2: auth=MSCHAPV2
identity: [Your User Name]
anonymous_identity:
password:
client_cert:
private_key:
ca_cert: keystore://CACERT_ct
On most Android devices, the password field is either left blank, or simply populated with a "*" to indicate that a password is present.
However, on affected HTC devices, the password field contains the actual user password in clear text.
This is sample output from a Sprint EVO running Android 2.3.3:
* ID: 0 SSID: "wpa2eap" BSSID: null PRIO: 21
KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN
AuthAlgorithms:
PairwiseCiphers: CCMP
GroupCiphers: WEP40 WEP104 TKIP CCMP
PSK:
eap: TTLS
phase2: auth=PAP
identity: test
anonymous_identity:
password: test
client_cert:
private_key:
ca_cert: keystore://CACERT_wpa2eap
--------------------------------------------------------------------------------
Vendor Response
--------------------------------------------------------------------------------
Google and HTC have been very responsive and good to work with on this issue. Google has made changes to the Android code to help better protect the credential store and HTC has released updates for all currently supported phone and side-loads for all non-supported phone.
Customer with affected versions can find information from HTC about updating their phone at: http://www.htc.com/www/help/
Google has also done a code scan of every application currently in the Android Market and there are no applications currently exploiting this vulnerability.
Comment