Wednesday, February 1, 2012

802.1X password exploit on many HTC Android devices

February 1, 2012

Subject
802.1X password exploit on many HTC Android devices



Abstract
There is an issue in certain HTC builds of Android that can expose the user's 802.1X Wi-Fi credentials to any program with basic WI-FI permissions.  When this is paired with the Internet access permissions, which most applications have, an application could easily send all stored Wi-Fi network credentials (user names, passwords, and SSID information) to a remote server.  This exploit exposes enterprise-privileged credentials in a manner that allows targeted exploitation. 


Affected Vendors
HTC


Affected Versions
We have verified the following devices as having this issue (there may be others including some non-HTC phones):
Desire HD  (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
Glacier - Version FRG83
Droid Incredible - Version FRF91
Thunderbolt 4G - Version FRG83D
Sensation Z710e - Version GRI40
Sensation 4G - Version GRI40
Desire S - Version GRI40
EVO 3D - Version GRI40
EVO 4G - Version GRI40



Non-Affected Versions
myTouch3g  (Appears to run either unmodified, or only lightly modified
Android build)
Nexus One  (Runs unmodified Android build)


Severity
Critical


See also
CVE ID: CVE-2011-4872


Timeline
- 2012-02-01: Public disclosure
- 2012-01-31: Submit final public disclosure doc to HTC Global for feedback
- 2012-01-31: HTC publishes information via their web site
- 2012-01-20: Public disclosure ? postponed
- 2012-01-19: Discussion with HTC Global on their time schedule
- 2012-01-05: Conference call with HTC Global
- 2012-01-02: Public disclosure ? postponed
- 2011-12-05: Discussed public disclosure time frames with HTC and Google
- 2011-10-11: Updated all individuals and groups that are aware of the issue
- 2011-10-11: Follow-up conference call with HTC Global and Google
- 2011-09-19: Updated all individuals and groups that were aware of the issue
- 2011-09-19: Conference call with HTC Global and Google
- 2011-09-08: HTC and Google verified exploit
- 2011-09-07: Notified key government agencies and CERT under non-public disclosure
- 2011-09-07: Initial email and phone call with HTC Global and Google


Vulnerability Details
There is an issue in certain HTC builds of Android that can expose the user's 802.1X password to any program with the "android.permission.ACCESS_WIFI_STATE" permission. When paired with the "android.permission.INTERNET" permission, an app could easily send user names and passwords to a remote server for collection. In addition, if the SSID is an identifiable SSID ("Sample University" or "Enterprise XYZ"), this issue exposes enterprise-privileged credentials in a manner that allows targeted exploitation.

Although the published Android APIs don't provide access to the 802.1X settings, it is possible to view the settings with the .toString() member of the WifiConfiguration class. The resulting output will look something like this:

* ID: 2 SSID: "ct" BSSID: null PRIO: 16
KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN
AuthAlgorithms:
PairwiseCiphers: CCMP
GroupCiphers: WEP40 WEP104 TKIP CCMP
PSK:
eap: PEAP
phase2: auth=MSCHAPV2
identity: [Your User Name]
anonymous_identity:
password:
client_cert:
private_key:
ca_cert: keystore://CACERT_ct

On most Android devices, the password field is either left blank, or simply populated with a "*" to indicate that a password is present. However, on affected HTC devices, the password field contains the actual user password in clear text.

This is sample output from a Sprint EVO running Android 2.3.3:
* ID: 0 SSID: "wpa2eap" BSSID: null PRIO: 21
KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN
AuthAlgorithms:
PairwiseCiphers: CCMP
GroupCiphers: WEP40 WEP104 TKIP CCMP
PSK:
eap: TTLS
phase2: auth=PAP
identity: test
anonymous_identity:
password: test
client_cert:
private_key:
ca_cert: keystore://CACERT_wpa2eap


Vendor Response
Google and HTC have been very responsive and good to work with on this issue.  Google has made changes to the Android code to help better protect the credential store and HTC has released updates for all currently supported phone and side-loads for all non-supported phone. 

Customer with affected versions can find information from HTC about updating their phone at: http://www.htc.com/www/help/

Google has also done a code scan of every application currently in the Android Market and there are no applications currently exploiting this vulnerability. 


Credit
Chris Hessing from The Open1X Group (http://www.open1x.org) who is currently working on Android, iOS, Windows, Mac OSX, and Linux 802.1X tools for Cloudpath Networks (http://www.cloudpath.net/) discovered this password exploit.


Contact Information
Chris Hessing
     Senior Engineer, Cloudpath Networks (chris.hessing@cloudpath.net)
     Chief Architect, Open1X Group (chris@open1x.org)
Bret Jordan CISSP
     Senior Security Architect, Open1X Group (jordan@open1x.org)


About
Cloudpath Networks
Cloudpath Networks provides software solutions that allow diverse environments to operate WPA2-Enterprise and 802.1X networks in a scalable, sustainable manner.ˇ From Bring Your Own Device (BYOD) in enterprise to student-owned devices in education, Cloudpath's XpressConnect Wizard has been proven to provide unmatched simplicity on millions of devices around the globe.

XpressConnect is an automated, self-service wizard for connecting users to WPA2-Enterprise and 802.1X across a wide range of device types and authentication methods, including credential-based (PEAP and TTLS) and certificate-based (TLS).ˇ For certificate-based environments, XpressConnect?s integration technology seamlessly connects to existing Microsoft CA servers to extend automated certificate issuance to non-domain devices, including iOS (iPhone, iPad, iPod Touch), Android, Windows, Mac OS X, and Linux.

The Open1X Group
The Open1X Group is a strategic research and development group established in 2001 to support the creation and adoption of secure authentication systems over traditionally insecure network connection.

The Open1X Group performs active and ongoing research and analysis in to the IEEE 802.1X protocol, the IETF EAP Methods, emerging authentication technologies, and various cryptographic implementations.  The Open1X Group has had the support of major Universities, enterprise companies, major Hi-Tech companies, and non-profit organizations.  The Open1X Group also performs on-going analysis of business and academic interests in to secure authentication and single sign-on systems, and Government and non-Government regulations and mandates for compliance in secure authentication.

The Open1X Group leverages a distributed team of security architects, engineers, and research scientists with specializations in 802.1X, gird and high performance computing, wireless networking, federated authentication, black box testing, cryptography, large enterprise and University deployment experiences, and global project development. 

The Open1X Group is a pioneer in the secure authentication space with the first major wide spread 802.1X federated deployment back in 1999/2000, and the development of a fully featured 802.1X supplicant, XSupplicant.