The Tech Herald

HTC looking into vulnerability reports

by Steve Ragan - Oct 3 2011, 07:30

HTC looking into vulnerability reports. Image: HTC/Sprint.

Handset maker HTC is investigating reports of a security vulnerability that could be leveraged to expose personal information, which exists on a number of devices. Reports of the vulnerability were published on Saturday by AndroidPolice.com.

Application developer Trevor Eckheart, along with Artem Russakovskii and Justin Case, initially discovered the problems after an update to the Sense UI (user interface) was released by HTC. The update installed some new tools to their devices, which can be used to extract personal information simply by installing a malicious application that requires Internet permissions.

“In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information... Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured,” Russakovskii wrote.

The update allows “any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads)” to access a list of user accounts on the device, including email addresses and sync status.

In addition, one can also access last known network and GPS data, along with a limited previous history of locations. Moreover, the buggy tools expose phone numbers, SMS data, and other system logs. The SMS exposure includes encoded text, but it is unknown if this data can be decrypted.

Also of note is the installation of 'androidvncserver'. As the name suggests, HTC has placed a VNC application on devices, but with no explanation as to why. The VNC server isn’t enabled to run by default, “but who knows what and who can trigger it and potentially get access to your phone remotely,” Russakovskii said.

Unless the device is rooted in order to remove the logging software, there is no fix for the problem.

“HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken,” the company said in a statement.

More information, including a list of all data exposed can be found here. So far, HTC handsets such as the EVO 4G, EVO 3D, Thunderbolt, are confirmed as impacted. Moreover, the EVO Shift, future Sensation devices, and the MyTouch Slide could be affected as well. 

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Chevrolet shows off the 2015 Colorado with digital experience

Chevrolet has launched a new website to show buyers all the bells and whistles available on ...

Mazda to debut CX-3 and MX-5 at Los Angeles Auto Show

Mazda has announced plans to premiere the new Mazda CX 3, its new compact crossover SUV, at ...

Ford issues safety recall for 204,448 Ford Edge and Lincoln MKX

Ford has issued a safety recall for 204,448 of the 2007-2008 Ford Edge and Lincoln MKX in No...

Mopar Previews SEMA Custom Rides

We have added a set of pictures released by Mopar ahead of the SEMA Show. Mopar are bri...

Audi R8 Competition – The Most Powerful Production Audi Ever

Audi has revealed details of their new super-fast Audi R8 Competititon — the most powerful a...