VSR Security Advisory http://www.vsecurity.com/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: HTC IQRD Android Permission Leakage Release Date: 2012-04-20 Application: IQRD on HTC Android Phones Author: Dan Rosenberg Vendor Status: Patch Released CVE Candidate: CVE-2012-2217 Reference: http://www.vsecurity.com/resources/advisory/20120420-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description ------------------- The IQRD service is HTC's implementation of a Carrier IQ porting layer on several HTC Android phones. Carrier IQ is a data collection framework that may be deeply integrated into the Android application stack in order to provide cell carriers with detailed metrics data on device and network activity [1]. To complete the integration of Carrier IQ on a specific device, phone manufacturers provide a "porting layer" that allows the Carrier IQ service to perform specific actions that may vary by device. Vulnerability Details --------------------- On December 22th, VSR identified a vulnerability in IQRD. The IQRD service listens locally on a TCP socket bound to port 2479. This socket is intended to allow the Carrier IQ service to request device-specific functionality from IQRD. Unfortunately, there is no restriction or validation on which applications may request services using this socket. As a result, any application with the android.permission.INTERNET permission may connect to this socket and send specially crafted messages in order to perform potentially malicious actions. In particular, it is possible for malicious applications to: 1. Trigger UI popup messages 2. Generate tones 3. Send arbitrary outbound SMS messages that do not appear in a user's outbox, facilitating toll fraud 4. Retrieve a user's Network Access Identifier (NAI) and corresponding password, potentially allowing rogue devices to impersonate the user on a CDMA network Versions Affected ----------------- The issue is confirmed to affect the HTC EVO 4G, HTC EVO Design 4G, EVO Shift 4G, HTC EVO 3D, HTC EVO View 4G, and HTC Hero on Sprint; and the HTC Vivid on AT&T. Vendor Response --------------- The following timeline details HTC's response to the reported issue: 2011-12-22 Vulnerability reported to HTC 2011-12-28 HTC confirms receipt, replies that fix is planned for early 2012 2012-03-10 VSR requests status update 2012-03-16 HTC confirms fix has been published 2012-03-26 HTC requests clarification on finding 2012-03-26 VSR provides clarification on finding, requests confirmation on status of fix 2012-04-02 HTC provides confirmation of fix, requests further clarification 2012-04-02 VSR provides clarification on finding 2012-04-12 VSR provides draft advisory to HTC 2012-04-13 HTC provides corrections to advisory, requests disclosure date 2012-04-20 Coordinated disclosure Recommendation -------------- HTC has issued a fix that will typically be provided as an OTA update by affected cell carriers. If the update has not automatically been installed, it is possible to retrieve the update manually by navigating to Menu -> Settings -> System Updates -> HTC Software Update -> Check Now. The following software versions on Sprint are confirmed to resolve this issue: HTC EVO 4G: 4.67.651.3 HTC EVO Design 4G: 2.12.651.5 HTC EVO Shift 4G: 2.77.651.3 HTC EVO 3D: 2.17.651.5 HTC EVO View 4G: 2.23.651.1 The following software versions on AT&T are confirmed to resolve this issue: HTC Vivid: 3.26.502.56 All affected devices except the HTC Hero have received an over-the-air update. HTC and Sprint have declined to update the HTC Hero, citing its 2009 release, minimal current usage, and lack of malicious applications in the Android Marketplace exploiting this vulnerability. Users should be aware that devices that no longer receive updates due to switching carriers may remain vulnerable. Common Vulnerabilities and Exposures (CVE) Information ------------------------------------------------------ The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2012-2217 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements ---------------- Thanks to HTC for their response and fix. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. Carrier IQ http://www.carrieriq.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. See the VSR disclosure policy for more information on our responsible disclosure practices: http://www.vsecurity.com/company/disclosure -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Copyright 2012 Virtual Security Research, LLC. All rights reserved.