September 27, 2016

WiMAX / 4G Information Leak Discovered on HTC Phones

(LiveHacking.Com) – It was just under a month ago that Trevor Eckhart (AKA TrevE) discovered that HTC preinstalled an application known as HtcLoggers on its phones. This logging program collected all kinds of data and then acted as a server to any connection that opens the right port.

TrevE hasn’t been sitting on his laurels and has now discovered that HTC preinstall a WiMAX monitoring system on its 4G enabled phones. An attacker who gains control over this can potentially manipulate data connectivity and to go even as far as being able to completely reprogram a device’s CDMA parameters remotely.

The WiMAX monitoring system exposes two open ports (7773/7774) to the outside world with no authentication. The only thing required for a malicious app to do anything is the INTERNET permission, which most Android apps request as a matter of course.

It is also possible to send commands to the WiMAX chipset via these ports, but sending a single comma can create an crashes the phone with an “out of bounds range exception.”

TrevE has posted a proof of concept app and a list of commands that can be sent to this monitoring system here.

Security Problems with HTC’s Android Phones

(LiveHacking.Com) – HTC recently updated the software on some of its Android based phones which introduced a suite of logging tools that collect information from the device including locations data and SMS usage. This software has been rolling out for popular phones like the EVO 4G, the EVO 3D and the Thunderbolt. According to a new report this log data is available to any application installed on the phone that is granted ‘Internet’ permission (which is just about every app).

Once an app with ‘Internet’ permission is installed it can access HTC’s logging data and read:

  • the list of user accounts.
  • the last known network and GPS locations along with a short history of previous locations.
  • phone numbers from the phone log
  • SMS data

The problem is with a preinstalled app called HtcLoggers.apk that collects all kinds of data and then acts as a server to any connection that opens the right port. Once connected the app serves up data via a command line interface that even has a handy ‘help’ command.

The vulnerability was found by Trevor Eckhart (AKA TrevE) who has created a proof of concept app and has released a YouTube video walkthrough.

According to the Android Police report:

After finding the vulnerability, Trevor contacted HTC on September 24th and received no real response for five business days, after which he released this information to the public.