Recently HTC acknowledged a vulnerability that can expose a user’s WiFi credentials, including the WiFi SSID and security passwords to a malicious app running on some of its Android phones. The vulnerability was discovered by the security architects Chris Hessing and Bret Jordan, and is published on the US-CERT website also.
The vulnerability is due to an issue in certain Android models that allow an Android application with basic permissions (particularly ‘android.permission.ACCESS_WIFI_STATE’) to access all the stored WiFi credentials, including the respective SSIDs, user names and security passwords, belonging to various WPA/WPA2-PSK/802.1x based Wi-Fi networks. On the top of this, if an application also has internet permission (‘android.permission.INTERNET’), it can transfer the accessed list of WiFi credentials to a remote server.
Exposing the list of WiFi credentials to an unintended party or person without the user’s knowledge can have serious security implications if the former has malicious intent. Some of these include:
Unauthorized access to private WiFi networks: Gaining access to the list of WiFi credentials from a user’s mobile device, the simplest for a hacker to do is to intrude into corresponding private WiFi networks. The private network can be a home, campus or a corporate WiFi network. The intrusion will allow a hacker to carry a host of malicious activities on the network, such as installing malware on the network and scanning the network for confidential information/security vulnerabilities. Many corporates are adopting the BYOD (Bring Your Own Device) initiatives nowadays, giving access to corporate WiFi to the employee’s personal mobile devices. But, since personal devices lack strict corporate controls, vulnerabilities similar to this recently discovered one can be a serious security threat for corporates adopting BYOD schemes. All WiFi networks requiring a security passphrase (in case of WPA/WPA2-PSK security) or a combination of username and password (in case of WPA/WPA2-802.1x) can suffer intrusion by the potential exploitation of discovered vulnerability. In contrast, WiFi networks requiring digital certificates or SIM based authentication (in case of WPA/WPA2-802.1x) are potentially safe to intrusion attacks launched via vulnerability exploitation.
Eavesdropping/Session hijacking on secured WiFi networks: Loosing the WiFi credentials of a WPA/WPA2-PSK WiFi network can be more damaging compared to WPA/WPA2-802.1x Wi-Fi network, because in the former all the WiFi clients of a particular network share a common security phrase. Therefore, an attacker having gained the SSID and security passphrase through the discovered vulnerability can sniff all the private encrypted WiFi communications happening over the associated WiFi network (using easily available hardware and software) and decode the same afterward or simultaneously using the available credentials. With the decoded traffic that can potentially reveal browser cookies, a hacker can potentially hijack an authorized user’s web session also. WPA/WPA2-PSK networks are popular among home and SOHO users, and therefore user’s online traffic, even though encrypted, is susceptible to eavesdropping and session hijacking when a hacker has gained necessary credentials illegally by exploiting the discovered vulnerability.
Man-In-the-Middle attack on WiFi users: Loosing the WiFi credentials also enables a hacker to launch man-in-the-middle attack on connected users of affected WiFi network. The attack can potentially hurt the users due to leakage of confidential data or malware implantation. Although WPA/WPA2-PSK networks are more susceptible to man-in-the-middle, but exploiting the Hole196 vulnerability, one can also do this attack on WPA/WPA2-802.1x networks too.
Potential loss of personal information: People often use WiFi hotspots for broadband access on their devices while they work, travel or visit various public places. And, many WiFi hotspots contain identity of their location in their SSID, therefore loosing the WiFi credentials also, including the SSID details, can potentially reveal a lot of information about a user to third-parties like company name, travelled places, etc. The personal information details can motivate crimes such as stalking.
Looking at the damages of loosing out the list of WiFi credentials, the vulnerability discovery is very important from user’s security perspective considering the growing usage of Android-based mobile devices and WiFi networks across the world. Moreover, considering the open nature of Android market, malware exploiting the vulnerability can be easily developed and targeted toward the users of affected devices, posing a greater security concern for them. A fix for the vulnerability is already available and HTC has already said that many phones have received the fix through regular updates, but some users may need to manually update their phones.
Hopefully, acknowledging the list of potential damages of the discovered vulnerability, mobile device users would be a bit more careful while selecting and installing an app on their device.