martes, 4 de octubre de 2011

'Speechless': HTC Android phones expose users' locations, call history - Sydney Morning Herald

A flaw on a number of HTC smartphones available in Australia means a hacker can find out where you are, who you have called and sent text messages to and disable your phone remotely, security experts say.

To be exploited the flaw requires a malicious app to be granted access to the internet, which most apps require. Once granted access such an app could then gain access to data that has been shown to be exposed.

Fairfax Media reported in May on a 400 per cent increase in malware since the middle of last year on Google Android, the mobile operating system installed on the HTC smartphones affected. Google regularly sweeps clean its Marketplace of malicious apps but doesn't always find the bad ones.

An Australian security expert has labelled the reported security flaw in HTC Android smartphones as "far more serious" than Apple's iPhone location tracking scandal and Facebook's tracking of users across the web.

Data demonstrated to have been exposed includes not only a phone's last known network and GPS locations and a limited previous history of locations (as was seen in the Apple iPhone location tracking scandal) but SMS and phone number data too, as well as a phone's list of user accounts, including email addresses and sync status for each.

More below

The security flaw was uncovered and reported on by US security experts Trevor Eckhart, Justin Case and Artem Russakovskii after waiting five days for no response from HTC before going public.

Any phone numbers you have dialled (as well as your own number) are also exposed as part of the flaw as an affected phone's system log is vulnerable, they said. The amount of data exposed, which includes much more than what is listed in this report, left Mr Russakovskii "speechless", according to his blog post on Android Police. A video to backup the security experts' claims was also released demonstrating the flaw.

It is said to expose multiple HTC Android smartphones, including two that are sold in Australia - the HTC Sensation, sold on a plan with Telstra, and the HTC EVO 3D, sold by both Vodafone and Telstra.

Telstra said HTC had advised it that the smartphone-maker was investigating the reported security flaw. "Once the investigation is complete we will assess the findings to ensure our customers are protected," a Telstra spokesman said. Vodafone too said it was "aware" of the reported flaw and in contact with HTC who is currently investigating it. "We will update our customers as more information comes to hand."

HTC said it took customers' security "very seriously" and was "working to investigate" the reported vulnerability as quickly as possible. "We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."

Australian security expert at Stratsec, Nick Ellsmore, said that from a user perspective the security flaw exposed on the Android Police blog was "far more serious than the iPhone 'location tracking scandal', which turned out to mostly be a non-event once the details emerged, or the Facebook 'like' button tracking after log-out of last week".

More below

And because the US security experts exposed the flaw before HTC was able to fix it, he said it may leave affected HTC smartphone users "more vulnerable" in the meantime, as the weakness was "now broadly known".

"It's definitely a cause for concern," Mr Ellsmore said.

Australian security expert at Pure Hacking, Ty Miller, said the vulnerability was "significant" and allowed an attacker to bypass the normal Android access controls. "The vulnerability allows a seemingly innocent mobile app to gain unauthorised access to sensitive and private information."

It meant any app that had internet permissions and was explicitly denied access to location services was "now able to track your physical location". It also meant a person with malicious intent could gain access to an HTC phone's serial number and have it permanently disabled by reporting it is as being stolen, Mr Miller said.

A rogue app purporting to be a web browser for example - which could be easily developed by a person with malicious intent - could then be installed by a user and quickly gain access to a phone's sensitive data. This is because the Android Marketplace does not vet each and every app uploaded to it, unlike Apple's iTunes app store.

Pure Hacking's Mr Miller said that the flaw highlighted by the US security experts was introduced by an HTC tool likely used for troubleshooting its smartphones, and therefore it was "up to HTC to act appropriately to mitigate the vulnerability to reduce the risk posed to their customers".

Australian security expert at Sophos, Paul Ducklin, said it was not responsible of the US security experts who exposed the flaw to reveal it the way they did. "Disclosing 'responsibly' but giving only five days' notice is a bit of a fudge - as if you're trying to get quick recognition and fame for finding a bug but wanting to give the impression of being a good internet citizen."

Pure Hacking's Ty Miller said there were a number of "responsible disclosure" definitions and timeframes about, but there was no specific standard that everyone adheres to. "This means that some people believe that releasing a proof of concept exploit five days after the vendor has been notified is responsible. Unfortunately this doesn't give the vendor much time to respond, so this technique is biased towards having the exploit released."

No hay comentarios:

Publicar un comentario