Summary: Security
researchers claim they’ve found an insecure logging program in some HTC
Android phones that easily enables crackers to get full access to all
your personal data.
What is it with companies wanting to know your every move anymore? Facebook’s has been tracking you on Websites with Facebook Like buttons; Amazon, with its forthcoming Silk Web browser, will literally track your every move on the Web,
and now HTC, in some of its Android smartphones, has planted a logging
program that records everything you do with your phone. That’s bad
enough, but according to Android Police
researchers, that snooping program has a giant security hole that will
let crackers easy grab the information that it has been gathering.
According to the researchers, Trevor Eckhart, Artem Russakovskii, and Justin Case, in recent updates to some of its devices, HTC introduces a suite of logging tools that collected both system and personal information.
That’s invasive. What’s even more annoying is that they also discovered
HTC had added “an app called androidvncserver.apk to their Android OS
installations”. That’s a Virtual Network Computing (VNC) remote access
server. With it, HTC, in theory, could remotely control your phone.
But, wait, there’s more! The real problem is that they’ve found that
“any app on affected devices that requests a single
android.permission.INTERNET (which is normal for any app that connects
to the web or shows ads) can get its hands on” this data.
What’s in there? They’ve found that, among other information, the logging program gathers:
- List of user accounts, including email addresses and sync status for each last known network and GPS locations and a limited previous history of locations
- Phone numbers from the phone log
- SMS data, including phone numbers and encoded text
- System logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info.
To get access to all this data, all a cracker need do is to get you
to download any program that connects to the Web with
android.permission.INTERNET–which is pretty much all Android
programs–with instructions to download the HTC data-logger’s file on
your phone’s activity. With just that, in less than a minute, a malware
program could forward all your phone’s information to a snooper. They
will then know who you are, where you’re at and where you’ve been, who
you’ve been calling and texting and on and on.
That’s all there is to it. HTC did the hard work of gathering all
your information. All a cracker has to do it is to harvest the results.
There’ no need for a password cracker or any other fanciness to use this
security hole. It would take an experienced Android programmer less
time to write the code to exploit this problem than it did for me to
write this Reader Digest’s description of the problem.
The HTC smartphone models that appear to be vulnerable are the EVO
3D, EVO 4G, Thunderbolt,and possibly HTC’s Sensation phone line. After
finding the vulnerability, the trio claim that Eckhart contacted HTC on
September 24th and HTC didn’t respond to them. So, after receiving no
real response for five business days, they’ve decided to release news of
the vulnerability to force HTC to fix the problem. HTC has yet to
respond to these claims.
In the meantime, you should not install any remotely questionable new
applications to your HTC smartphone. If you’re comfortable getting down
and dirty with your phone’s firmware you may also want to consider
dumping your phone’s default HTC Android distro and replacing it with an
Android Open Source Project (AOSP) firmware such as CyanogenMod.
No comments:
Post a Comment