Earlier this month, HTC officially announced that they are aware of a wireless vulnerabiltiy on some HTC handsets running Android. The vulnerability comes with any application that requests access to “ACCESS_WIFI_STATE” and allows others to see the passwords used by the user to connect to wireless access points at home or while on the go.
Fortunately, this weakness was discovered by a couple of researchers who then reported the issue to HTC. A detailed report of the exploit including a discovery timeline and information on those that discovered the issue can be found on this blogger site.
The report claims the vulnerability has been found on many HTC devices currently on the market across the world and it appears that HTC has already patched a few phones; even before HTC went public with the announcement. Below is a list of phones known to have this flaw:
Desire HD (both “ace” and “spade” board revisions) – Versions FRG83D, GRI40
Glacier – Version FRG83
Droid Incredible – Version FRF91
Thunderbolt 4G – Version FRG83D
Sensation Z710e – Version GRI40
Sensation 4G – Version GRI40
Desire S – Version GRI40
EVO 3D – Version GRI40
EVO 4G – Version GRI40
If you have one of the phones listed above, it is probably a good idea to go to your phone’s settings and check for a manual update or visit HTC’s website to see if additional instructions for downloading a fix has been published there. Several phones, particularly on Sprint’s network have already received updates applying a few other patches; like the removal of CarrierIQ and it is likely that other devices should see something in the near future.