Jump to content

Massive Security Vulnerability In HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others)


Perks
 Share

Recommended Posts

Eu sei que o titulo é alarmista (à lá CM 14.gif )

Antes demais, big thanks para o Trevor Eckhart por esta descoberta

De qualquer forma estes dados não são enviados para lado algum, mas estão disponiveis num ficheiro, para um programa "artista" o poder utilizar, ou seja não é um problema da HTC obter os dados mas sim de uma app o poder fazer

Nas customs ROMs (obviamente que não testei a totalidade, neste momento estou com a leedroid) isto não se passa mas continuando para o que interessa:

Telefones afectados

Note: Só stock Sense firmware deve ser afectado

  • EVO 4G
  • EVO 3D
  • Thunderbolt
  • Muito provavelmente o Sensation e outros



    The Vulnerability



    In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.
    That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
    • the list of user accounts, including email addresses and sync status for each
    • last known network and GPS locations and a limited previous history of locations
    • phone numbers from the phone log
    • SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
    • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

    Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails.

    But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed:

      [*]active notifications in the notification bar, including notification text

      [*]build number, bootloader version, radio version, kernel version

      [*]network info, including IP addresses

      [*]full memory info

      [*]CPU info

      [*]file system info and free space on each partition

      [*]running processes

      [*]current snapshot/stacktrace of not only every running process but every running thread

      [*]list of installed apps, including permissions used, user ids, versions, and more

      [*]system properties/variables

      [*]currently active broadcast listeners and history of past broadcasts received

      [*]currently active content providers

      [*]battery info and status, including charging/wake lock history

      [*]and more

      Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following:

      ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location

      ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location

      ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands

      ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks

      BATTERY_STATS Allows an application to collect battery statistics

      DUMP Allows an application to retrieve state dump information from system services.

      GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service

      GET_PACKAGE_SIZE Allows an application to find out the space used by any package.

      GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.

      READ_LOGS Allows an application to read the low-level system log files.

      READ_SYNC_SETTINGS Allows applications to read the sync settings

      READ_SYNC_STATS Allows applications to read the sync stats

      Resolver o problema

      ... Para isto é necessário root, e basta a remoção do Htcloggers (/system/app/HtcLoggers.apk).

      deixo em anexo duas apps para testarem se o HTCloggers está presente e um pequeno video explicativo

      ">
      " type="application/x-shockwave-flash" width="580" height="357">


      http://dl.dropbox.com/u/18331466/loggingdangerapp.apk
    
    
    
    

    http://dl.dropbox.com/u/18331466/TrevE_Logging_TestApp_v4.apk
    [/code]

    [b][color=#0000ff][size=6]Stay safe wink4.gif[/size][/color][/b]

Link to comment
Share on other sites

a HTC já reagiu dizendo que vai ser libertada uma actualização de software com uma correcção desta falha

no xda já anda um leak de uma ROM com a referência 2.08 (sense 3.5 :D ) já a saquei, não instalei mas já deu para ver que pelo menos o ficheiro já não está lá, por isso já devem ter percebido na HTC que não são a Apple :trollface:

screenshot.png

screenshot2.png

Edited by Perks
Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...

só um breve resumo

depois desta falha descoberta, o developer continuou o trabalho encontrando uma vulnerabidade a que tinha a ver com log criado por uma empresa que se chamava carrier IQ cujo trabalho era recolher informações de uso dos smartphones e entregar os mesmos às operadoras (isto nos telemóveis bloqueados às redes, que são a maior parte nos USA).

O problema começa quando se descobre que estes recolhiam tudo, e quando digo tudo é mesmo tudo, desde localização e chamadas até às teclas pressionadas, sendo que era transversal às stock ROMs dos principais players (HTC, Samsung, LG etc)

"Carrier IQ provides telemetry to cellular carriers and manufacturers, and according to the company itself, its software is pre-installed on over 141 million phones. Now, a security researcher claims that the same software is monitoring every single key you press on your smartphone, reading your SMS, and logging much of the personal data you transmit, too —all with an app that you can't remove."

Isto começa no Android porque a comunidade por trás com o fanatismo de desenvolvimento de ROMs tenta eliminar toda e qualquer app que cujo propósito seja desconhecido e a eliminação não faça diferença de desempenho

Infelizmente está possibilidade não chega ao iOS, mas de certeza que instalou a dúvida e o resultado foi:

Carrier IQ references discovered in Apple's iOS

To date, the user tracking controversy surrounding Carrier IQ has focused primarily on Android, but today details are surfacing that the company also may have hooks into Apple's iOS. Well-known iPhone hacker Chpwn tweeted today that versions at least as recent as iPhone OS 3.1.3 contained references to Carrier IQ. We were able to independently verify that at the very least, references to Carrier IQ's servers do exist within iPhoneOS 3.1.3 in a file located at /usr/bin/ IQAgent. What exactly that binary is able to access or how it may communicate with either carriers or Carrier IQ is not yet known, though there are references to an IQAgent log on the device as well as references to collector.sky.carrieriq.com.

For versions 4.0 and up, Intell on MacRumors' forums has found similar references to the http:// collector.sky.carrieriq.com location within /usr/bin/ awd_ice2, although we have not independently verified that yet. Again, no clear word on just what is or is not being tracked or collected.

The story is developing, with chpwn promising a post providing as many details as he's been able to uncover thus far, including the possibility that the code wasn't enabled by default in iOS. We should emphasize that all we can say for sure at the moment is that iOS definitely contained references to Carrier IQ —but given how the story has progressed thus far, we expect there will be more to report on soon.

http://www.theverge.com/2011/11/30/2601875/carrier-iq-references-discovered-apple-ios-iphone[/CODE]

Como disse anteriormente, as custom ROMs estão livres disto

Quanto ao iOS vamos a ver

Também se fala que a maior parte das ROMs não Americanas não têm este problema, porque é uma decisão do operador meter isto na stock ROM ou não

Edited by Perks
Link to comment
Share on other sites

(...)cujo trabalho era recolher informações de uso dos smartphones e entregar os mesmos às operadoras (isto nos telemóveis bloqueados às redes, que são a maior parte nos USA).

O problema começa quando se descobre que estes recolhiam tudo, e quando digo tudo é mesmo tudo, desde localização e chamadas até às teclas pressionadas, sendo que era transversal às stock ROMs dos principais players (HTC, Samsung, LG etc)

"Carrier IQ provides telemetry to cellular carriers and manufacturers, and according to the company itself, its software is pre-installed on over 141 million phones. Now, a security researcher claims that the same software is monitoring every single key you press on your smartphone, reading your SMS, and logging much of the personal data you transmit, too —all with an app that you can't remove."

eek.gifeek.gifeek.gifeek.gifeek.gifeek.gifeek.gif

Link to comment
Share on other sites

Just to make things clear:

Como disse antes, isto é em telefones Americanos que são comprados nas operadoras com todo aquele crapware. Nos que vêm livres e/ou vendidos na Europa isto não se passa.

AOSP phones estão livres também.

Custom ROMs estão livres

No iOS como os updates são mundiais vão em todos, mas segundo já li no post do Rev ao lado, um simples desmarcar de uma opção no iOS 5 resolve o problema

Link to comment
Share on other sites

Cyanogen Team

Everybody with access to a web browser over the last week or so has undoubtedly seen the recent upheaval about Carrier IQ. The truth is, Carrier IQ has been around for quite some time. It is one of the nastier examples of bloatware installed by carriers, and it is more than likely something that will always be there in some form or fashion. That is, as long as your phone is running the OEM provided version of Android.

As this version of Android is based entirely on work from the Android Open Source Project, the CyanogenMod team would like to assure everyone that Carrier IQ has never, and will never be a part of our Operating System. There is no risk of this kind of software to ever be shipped as a part of CyanogenMod, period. Please, take it upon yourselves to educate anyone who is concerned about Carrier IQ, and offer them CyanogenMod as the only real opt-out they are likely to get any time soon.

Revenge likes Cyanogen 14.gif

ps: OEM é diferente de AOSP. OEM é a versão do Android após passar pelas operadoras. Tipo, o P500 quando o comprei vinha com o Android modificado pela própria Vodafone, ou seja, com o lixo deles. E as operadoras é que colocam o Carrier IQ no Android.

Seja como for, parece que as Operadoras Europeias não andam a fazer isso. Apenas as Americanas.

Link to comment
Share on other sites

Já agora para enquadrar, declarações de algumas operadoras e Fabricantes

Apple:

We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.

AT&T:

In-line with our privacy policy, we solely use CIQ software data to improve wireless network and service performance.

Bell:

Bell doesn't install or support Carrier IQ or similar programs. You may want to connect with the device manufacturers for the industry-wide perspective.

Fido:

Carrier IQ is not on any of our devices.

Google, which has never shipped CarrierIQ on its Nexus devices:

We do not have an affiliation with CarrierIQ. Android is an open source effort and we do not control how carriers or OEMs customize their devices.

HP:

HP does not install nor authorize its partners to embed Carrier IQ on its webOS devices.

HTC:

HTC, like most manufacturers, has an opt-in error reporting function built in to our devices. If your phone experiences an error, you have the option of 'Telling HTC' so we can make improvements to our phones. Details about this are in our privacy policy on each device and in order for data to be collected, you have to opt-in. If you do opt-in, we protect your privacy by de-identifying and encrypting the data. HTC is committed to protecting your privacy and that means a commitment to clear opt-in/opt-out as the standard for collecting any information we need to serve you better.

Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we'd advise them to contact their carrier. It is important to note that HTC is not a customer or partner of Carrier IQ and does not receive data from the application, the company, or carriers that partner with Carrier IQ. HTC is investigating the option to allow consumers to opt-out of data collection by the Carrier IQ application.

Microsoft:

Windows Phones don't have CarrierIQ on them either.

Nokia:

Nokia is aware of inaccurate reports which state that software from Carrier IQ has been found on Nokia devices. Carrier IQ does not ship products for any Nokia devices, so these reports are wrong.

RIM:

RIM does not pre-install the Carrier IQ app on BlackBerry smartphones or authorize its carrier partners to install the Carrier IQ app before sales or distribution... RIM also did not develop or commission the development of the Carrier IQ application, and has no involvement in the testing, promotion, or distribution of the app.

Rogers:

I'm happy to confirm that we have investigated and Carrier IQ is NOT on any of our devices

Samsung:

Some Samsung mobile phones do include Carrier IQ, but it's very important to note that it's up to the carrier to request that Samsung include that software on devices. One other important point is that Samsung does not receive any consumer user information from the phones that are equipped with Carrier IQ.

Sprint:

Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don't provide a direct feed of this data to anyone outside of Sprint.

Sprint is well known for our serious commitment to respecting and protecting the privacy and security of each customer's personally identifiable information and other customer data. A key element of this involves communicating with our customers about our information privacy practices. The Sprint privacy policy makes it clear we collect information that includes how a device is functioning and how it is being used. Carrier IQ is an integral part of the Sprint service. Sprint uses Carrier IQ to help maintain our network performance.

T-Mobile US:

T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers' experience . T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers' internet activity, nor is the tool used for marketing purposes.

T-Mobile UK:

I can confirm that Carrier IQ software is not and has not been installed on any T-Mobile phones.

Verizon:

To be 100% clear: Carrier IQ is *not* on Verizon Wireless phones.

Motorola didn't have an official statement, but did mention that Carrier IQ is only pre-loaded as an operator requirement.

According to MobileSyrup, Virgin Mobile Canada, Telus and Videotron have also confirmed that Carrier IQ is not loaded on any of their devices.

A lookout lançou um detector de "carrier IQ" mais simples que o existente do Treve, my test

CAP201112031323.png

https://market.android.com/details?id=com.lookout.carrieriqdetector


Apple, HTC, Samsung, Motorola, AT&T, Sprint, T-Mobile and Carrier IQ Sued in Delaware Federal Court in Cell Phone Tracking Software Scandal

WILMINGTON, Del., Dec. 2, 2011 /PRNewswire/ --The law firms of Sianni & Straite LLP of Wilmington, DE, Eichen Crutchlow Zaslow & McElroy LLP of Edison, NJ, and Keefe Bartels L.L.C. of Red Bank, NJ, have today filed a class action complaint in Federal Court in Wilmington, Delaware related to the unprecedented breach of the digital privacy rights of 150 million cell phone users. The complaint asserts that three cell phone providers (T-Mobile, Sprint and AT&T) and four manufacturers of cell phones (HTC, Motorola, Apple and Samsung) violated the Federal Wiretap Act, the Stored Electronic Communications Act, and the Federal Computer Fraud and Abuse Act.

So, it begins

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.