February 1, 2012

--------------------------------------------------------------------------------
Subject
--------------------------------------------------------------------------------
802.1X password exploit on many HTC Android devices


--------------------------------------------------------------------------------
Abstract
--------------------------------------------------------------------------------
There is an issue in certain HTC builds of Android that can expose the
user's 802.1X Wi-Fi credentials to any program with basic WI-FI
permissions.  When this is paired with the Internet access
permissions, which most applications have, an application could easily
send all stored Wi-Fi network credentials (user names, passwords, and
SSID information) to a remote server.  This exploit exposes
enterprise-privileged credentials in a manner that allows targeted
exploitation.


--------------------------------------------------------------------------------
Affected Vendors:
--------------------------------------------------------------------------------
HTC


--------------------------------------------------------------------------------
Affected Versions:
--------------------------------------------------------------------------------
We have verified the following devices as having this issue (there may
be others including some non-HTC phones):
Desire HD  (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
Glacier - Version FRG83
Droid Incredible - Version FRF91
Thunderbolt 4G - Version FRG83D
Sensation Z710e - Version GRI40
Sensation 4G - Version GRI40
Desire S - Version GRI40
EVO 3D - Version GRI40
EVO 4G - Version GRI40


--------------------------------------------------------------------------------
Non-Affected Versions:
--------------------------------------------------------------------------------
myTouch3g  (Appears to run either unmodified, or only lightly modified
Android build)
Nexus One  (Runs unmodified Android build)


--------------------------------------------------------------------------------
Severity
--------------------------------------------------------------------------------
Critical


--------------------------------------------------------------------------------
See also
--------------------------------------------------------------------------------
CVE ID: CVE-2011-4872


--------------------------------------------------------------------------------
Timeline:
--------------------------------------------------------------------------------
- 2012-02-01: Public disclosure
- 2012-01-31: Submit final public disclosure doc to HTC Global for feedback
- 2012-01-31: HTC publishes information via their web site
- 2012-01-20: Public disclosure ? postponed
- 2012-01-19: Discussion with HTC Global on their time schedule
- 2012-01-05: Conference call with HTC Global
- 2012-01-02: Public disclosure ? postponed
- 2011-12-05: Discussed public disclosure time frames with HTC and Google
- 2011-10-11: Updated all individuals and groups that are aware of the issue
- 2011-10-11: Follow-up conference call with HTC Global and Google
- 2011-09-19: Updated all individuals and groups that were aware of the issue
- 2011-09-19: Conference call with HTC Global and Google
- 2011-09-08: HTC and Google verified exploit
- 2011-09-07: Notified key government agencies and CERT under
non-public disclosure
- 2011-09-07: Initial email and phone call with HTC Global and Google



--------------------------------------------------------------------------------
Vulnerability Details:
--------------------------------------------------------------------------------
There is an issue in certain HTC builds of Android that can expose the
user's 802.1X password to any program with the
"android.permission.ACCESS_WIFI_STATE" permission. When paired with
the "android.permission.INTERNET" permission, an app could easily send
user names and passwords to a remote server for collection. In
addition, if the SSID is an identifiable SSID ("Sample University" or
"Enterprise XYZ"), this issue exposes enterprise-privileged
credentials in a manner that allows targeted exploitation.

Although the published Android APIs don't provide access to the 802.1X
settings, it is possible to view the settings with the .toString()
member of the WifiConfiguration class. The resulting output will look
something like this:

* ID: 2 SSID: "ct" BSSID: null PRIO: 16
KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN
AuthAlgorithms:
PairwiseCiphers: CCMP
GroupCiphers: WEP40 WEP104 TKIP CCMP
PSK:
eap: PEAP
phase2: auth=MSCHAPV2
identity: [Your User Name]
anonymous_identity:
password:
client_cert:
private_key:
ca_cert: keystore://CACERT_ct

On most Android devices, the password field is either left blank, or
simply populated with a "*" to indicate that a password is present.
However, on affected HTC devices, the password field contains the
actual user password in clear text.

This is sample output from a Sprint EVO running Android 2.3.3:
* ID: 0 SSID: "wpa2eap" BSSID: null PRIO: 21
KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN
AuthAlgorithms:
PairwiseCiphers: CCMP
GroupCiphers: WEP40 WEP104 TKIP CCMP
PSK:
eap: TTLS
phase2: auth=PAP
identity: test
anonymous_identity:
password: test
client_cert:
private_key:
ca_cert: keystore://CACERT_wpa2eap


--------------------------------------------------------------------------------
Vendor Response
--------------------------------------------------------------------------------
Google and HTC have been very responsive and good to work with on this
issue.  Google has made changes to the Android code to help better
protect the credential store and HTC has released updates for all
currently supported phone and side-loads for all non-supported phone.

Customer with affected versions can find information from HTC about
updating their phone at: http://www.htc.com/www/help/

Google has also done a code scan of every application currently in the
Android Market and there are no applications currently exploiting this
vulnerability.


--------------------------------------------------------------------------------
Credit
--------------------------------------------------------------------------------
Chris Hessing from The Open1X Group (http://www.open1x.org) who is
currently working on Android, iOS, Windows, Mac OSX, and Linux 802.1X
tools for Cloudpath Networks (http://www.cloudpath.net/) discovered
this password exploit.


--------------------------------------------------------------------------------
Contact Information
--------------------------------------------------------------------------------
Chris Hessing
     Senior Engineer, Cloudpath Networks (chris.hessing@cloudpath.net)
     Chief Architect, Open1X Group (chris@open1x.org)
Bret Jordan CISSP
     Senior Security Architect, Open1X Group (jordan@open1x.org)


--------------------------------------------------------------------------------
About
--------------------------------------------------------------------------------
Cloudpath Networks
Cloudpath Networks provides software solutions that allow diverse
environments to operate WPA2-Enterprise and 802.1X networks in a
scalable, sustainable manner.ˇ From Bring Your Own Device (BYOD) in
enterprise to student-owned devices in education, Cloudpath's
XpressConnect Wizard has been proven to provide unmatched simplicity
on millions of devices around the globe.

XpressConnect is an automated, self-service wizard for connecting
users to WPA2-Enterprise and 802.1X across a wide range of device
types and authentication methods, including credential-based (PEAP and
TTLS) and certificate-based (TLS).ˇ For certificate-based
environments, XpressConnect?s integration technology seamlessly
connects to existing Microsoft CA servers to extend automated
certificate issuance to non-domain devices, including iOS (iPhone,
iPad, iPod Touch), Android, Windows, Mac OS X, and Linux.

The Open1X Group
The Open1X Group is a strategic research and development group
established in 2001 to support the creation and adoption of secure
authentication systems over traditionally insecure network connection.

The Open1X Group performs active and ongoing research and analysis in
to the IEEE 802.1X protocol, the IETF EAP Methods, emerging
authentication technologies, and various cryptographic
implementations.  The Open1X Group has had the support of major
Universities, enterprise companies, major Hi-Tech companies, and
non-profit organizations.  The Open1X Group also performs on-going
analysis of business and academic interests in to secure
authentication and single sign-on systems, and Government and
non-Government regulations and mandates for compliance in secure
authentication.

The Open1X Group leverages a distributed team of security architects,
engineers, and research scientists with specializations in 802.1X,
gird and high performance computing, wireless networking, federated
authentication, black box testing, cryptography, large enterprise and
University deployment experiences, and global project development.

The Open1X Group is a pioneer in the secure authentication space with
the first major wide spread 802.1X federated deployment back in
1999/2000, and the development of a fully featured 802.1X supplicant,
XSupplicant.



Bret Jordan CISSP
Sr Security Architect
PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303
"Without cryptography vihv vivc ce xhrnrw, however, the only thing
that can not be unscrambled is an egg."