HTC Desire S

HTC is updating some of its Android phones to address a security vulnerability which could allow malicious apps to steal Wifi security information. In a post on its official support site, the manufacturer says that many of the affected handsets have already been updated over-the-air, however some may require a manual update.

On an affected device, the bug in question could allow an Android application with the innocuous-sounding "ACCESS_WIFI_STATE" permission to access Wifi passwords for any network the phone's connected to. According to security researchers Chris Hessing and Bret Jordan, who originally discovered the vulnerability, phones affected by the bug include --

TheNextWeb reports that Hessing and Jordan discovered the issue in September 2011, but worked with Google and HTC to track down the root cause and develop a fix before going public. That's why we're just hearing about this for the first time today.

As HTC says, if your device is affected, it's likely already been updated with the fix over-the-air. The manufacturer says to check back next week for more information on a manual patch for certain handsets. In any case, we're not too worried about this latest security scare, and we don't think you should be either. If you were affected, chances are you already have the fix. And after all, stealing a Wifi password is among the less menacing things a malicious app could do.

Source: HTC Support; via: TheNextWeb


Reader comments

HTC addressing Wifi security loophole in some Android handsets


I'm not sure if I agree with the assessment 'that stealing a WiFi password is among the less menacing things a malicious app could do'. For example, my work uses WPA-2 Enterprise security for WiFi. That password is the same password for all enterprise access. Someone with that password could do a lot more than get free WiFi...

My wifi uses that crazy 26 digit (or whatever it is) alpha-numeric capital and lower case password. So is someone going to come park in front of my house and use my wifi?

These issues will be resolved if you put on big boy pants and are using a custom ROM. I can't speak for all of the the phones listed, but my MyTouch 4G is much more useable in every way running CM7 then stock.

I'm guessing the Thunderbolt got the patch in one of the last few updates. But it would've never been an issue for me anyway as I NEVER use Wi-Fi on my phone (it's always turned off). No need for it as LTE coverage is excellent where I live and it blows my home DSL service out of the water! :P

TWO thoughts:

Msbragg (above) - from a BEST PRACTICES standpoint that is a really bad idea. Enterprise acess should individualized by user permission, application, department, network type, and etc. I know that sounds scary cumbersome and expensive but it really isn't. Most data theft occurs from employees and wireless is one of the least secure entry points for that theft. Add offsite (traveling, smartphone using, remote based) mobile users and you dramatically magnify your exposure to non-employees determined to gain access. How many employees have "remember my password" checked, saved in an unsecured document?
Ask your IT provider for an "identity management assessment". If it isn't free(they can analyze a representative subset that you both agree on) or they get all squirmy, you're using the wrong people.

HTC should explain how users can verify the fix is actually present on their device.