• Massive HTC Android Vulnerability Leaves Security Expert "Speechless"
    43 replies, posted
[quote]"I am quite speechless right now," begins Artem Russakovskii over at Android Police as he posts about a "massive" security flaw in HTC Android devices that allows malicious hackers to access phone numbers, GPS, SMS, email addresses and more. The affected devices include EVO, 3D, 4G and Thuderbolt and apparently the flaw goes so deep that the guys at Android Police are discovering new issues with each new test or examination: [QUOTE]What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on: - the list of user accounts, including email addresses and sync status for each last known network and GPS locations and a limited previous history of locations - phone numbers from the phone log - SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely) - system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info[/QUOTE] Even worse, for apps that only need one type of information, like the Internet permission, this vulnerability [I]still[/I] grants access to other areas of the device (like location, logs, even battery stats, just to name a few). Basically, it sounds as if you're using one of these HTC Android devices, you've been walking around with your fly undone and a big "eff me over" sign on your back. The security research is ongoing and we'll update with any fixes or security patches that get issued. The only way this gets fixed is an update from HTC itself, says the guys at A.P. [[URL="http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/"]Android Police[/URL]] [B]RELATED STORIES [/B][B][URL="http://gizmodo.com/5845590/watch-samsung-galaxy-s-ii-security-bug-leaves-locked-phones-exposed-updated"]Watch: Samsung Galaxy S II Security Bug Leaves Locked Phones Exposed (UPDATED)[/URL][/B] [B][URL="http://gizmodo.com/5845426/samsung-galaxy-tab-7-plus-is-amazingly-similar-to-all-of-samsungs-other-tabs"]Samsung Galaxy Tab 7 Plus Is Amazing...ly Similar to All of Samsung's Other Tabs[/URL][/B] [B][URL="http://gizmodo.com/5845043/the-panasonic-lumix-phone-101p-might-not-suck-at-being-a-camera-or-a-phone"]The Panasonic Lumix Phone 101P Might Not Suck at Being a Camera or a Phone[/URL][/B][/quote] [url]http://gizmodo.com/5845867/massive-htc-android-vulnerability-leaves-security-expert-speechless[/url] Apparently this only effects US handsets, hopefully my Thunder Bolt is fine :tinfoil:
oh fuck oh fuck we are gonna be poor guys
Thought this was gonna be the same video I saw in the Android thread. There was the pattern unlock screen, then a black screen when he hit the power button and then it was unlocked all of a sudden.
I just patched up the vulnerability, but I'm running a custom ROM on a Thunderbolt. If you've got a phone that's running a Sense ROM, I'd advise you to do t he same.
[QUOTE=Sir Whoopsalot;32595149]Thought this was gonna be the same video I saw in the Android thread. There was the pattern unlock screen, then a black screen when he hit the power button and then it was unlocked all of a sudden.[/QUOTE] Wasn't that for the AT&T Samsung Galaxy SII? Or am I wrong yet again?
[QUOTE=Sir Whoopsalot;32595149]Thought this was gonna be the same video I saw in the Android thread. There was the pattern unlock screen, then a black screen when he hit the power button and then it was unlocked all of a sudden.[/QUOTE] It's in my post, Watch: Samsung Galaxy S II Security Bug Leaves Locked Phones Exposed (UPDATED) [url]http://gizmodo.com/5845590/watch-samsung-galaxy-s-ii-security-bug-leaves-locked-phones-exposed-updated[/url]
Holy shit, now I'm speechless.
[QUOTE=Van-man;32595164]Wasn't that for the AT&T Samsung Galaxy SII? Or am I wrong yet again?[/QUOTE] Turns out it was, forget what phone it was. Fucking hilarious nonetheless.
[QUOTE=Sir Whoopsalot;32595284]Turns out it was, forget what phone it was. Fucking hilarious nonetheless.[/QUOTE][video=youtube;V9tXDLyeoBE]http://www.youtube.com/watch?v=V9tXDLyeoBE&feature=player_embedded[/video]
[QUOTE=ducky5;32595306][video=youtube;V9tXDLyeoBE]http://www.youtube.com/watch?v=V9tXDLyeoBE&feature=player_embedded[/video][/QUOTE] Yeah, saw it. Honestly, how in the WORLD does something like this get past?
In the meanwhile, if you're running a stock HTC ROM on your phone, root your phone and remove the file /system/app/HtcLoggers.apk
Somewhere out there, there is a Chinese/Middle Eastern/Russian hacker laughing maniacally and rubbing his hands together excitedly.
Thankfully, I'm using the Droid X2 from Motorola. I'll take a look through my files though.
[QUOTE=Sir Whoopsalot;32595347]Yeah, saw it. Honestly, how in the WORLD does something like this get past?[/QUOTE] are you seriously implying a dinky lock screen is any form of real security anyways
why are all super-skilled hackers russian/eastern european?
[QUOTE=Arachnidus;32595150]I just patched up the vulnerability, but I'm running a custom ROM on a Thunderbolt. If you've got a phone that's running a Sense ROM, I'd advise you to do t he same.[/QUOTE] MIUI master race :D
What do you delete to fix the vulnerability? I deleted HTCLoggers, but I don't know what else.
[quote]The affected devices include EVO, 3D, 4G and [B][I]Thuderbolt [/I][/B]and apparently the flaw goes so deep that the guys at Android Police are discovering new issues with each new test or examination:[/quote] AH FUCK I have a Thunderbolt...
So no other HTC devices are affected? Like the Incredible 2?
[QUOTE=barttool;32596138]why are all super-skilled hackers russian/eastern european?[/QUOTE] They don't have much to-do really.
[QUOTE=Elizer;32596088]Thankfully, I'm using the Droid X2 from Motorola. I'll take a look through my files though.[/QUOTE] Why? This only extends to phones with HTCSense.
[QUOTE=barttool;32596138]why are all super-skilled hackers russian/eastern european?[/QUOTE] Because the laws are somewhat outdated and the police there can't do much about it anyway.
How does this vulnerability work? Surely I'd need to download a stupid app or something?
[QUOTE=ducky5;32595306][video=youtube;V9tXDLyeoBE]http://www.youtube.com/watch?v=V9tXDLyeoBE&feature=player_embedded[/video][/QUOTE] [quote]Okay, we did some more digging, and just to be clear here, there is no security risk. Here's the deal: When you set your Galaxy S II to require a password, the default time before you're required to enter it is five minutes. You can make that longer or shorter, as you like. The bug is that the unlock screen appears before it's required.[/quote]
[QUOTE=barttool;32596138]why are all super-skilled hackers russian/eastern european?[/QUOTE] Because it's too cold outside for normal crime.
Im running HTC Desire HD with a custom ROM (Android revolution HD) should I be worried? Running android 2.2
"Android Police" ?
Thank god instead of these smartphones I have a normal mobile phone.
Haha, my HTC runs on Window Mobile, not Android! I win! [sp]Windows Mobile is the worst thing ever[/sp]
I'd be concerned if I didn't lose my HTC Aria somewhere in my house :v: Not on the effected list but still.
Sorry, you need to Log In to post a reply to this thread.