X

Thunderbolt, other HTC phones have big security hole, report claims

Some HTC Android smartphones contain a flaw that gives Net-connected apps access to personal information such as text message and location data, according to security researchers.

Edward Moyer Senior Editor
Edward Moyer is a senior editor at CNET and a many-year veteran of the writing and editing world. He enjoys taking sentences apart and putting them back together. He also likes making them from scratch. ¶ For nearly a quarter of a century, he's edited and written stories about various aspects of the technology world, from the US National Security Agency's controversial spying techniques to historic NASA space missions to 3D-printed works of fine art. Before that, he wrote about movies, musicians, artists and subcultures.
Credentials
  • Ed was a member of the CNET crew that won a National Magazine Award from the American Society of Magazine Editors for general excellence online. He's also edited pieces that've nabbed prizes from the Society of Professional Journalists and others.
See full bio
Edward Moyer
2 min read

HTC Android smartphones including the Evo 3D, the Evo 4G, and the Thunderbolt contain a flaw that gives Internet-connected apps installed on the devices access to personal information such as text message data, location info, e-mail addresses, and phone numbers, according to a trio of security researchers.

HTC Thunderbolt
The HTC Thunderbolt Sarah Tew/CNET

Researcher Artem Russakovskii says that he, Justin Case, and Trevor Eckhart have discovered a vulnerability involving logging tools that HTC recently installed on the devices during a software update.

Such tools, Russakovskii writes, might normally be used for remote analysis of problems on a device, among other things. But the problem here is that, because of this purportedly misguided update, "any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the Web or shows ads)" can, Russakovskii says, get access to:

  • "the list of user accounts, including email addresses...
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info"

For now, the only way for users to address the issue is to wait for a fix from HTC or to jailbreak the phone and remove the logging tools, according to Russakovskii. He advises owners of the devices to be especially vigilant about downloading suspicious apps.

Russakovskii says the trio contacted HTC about the problem on September 24, waited five business days, and then went public when they hadn't heard back. "As far as we know, HTC is now looking into the issue, but no statement has been issued yet," he writes.

Vulnerable devices, according to Russakovskii, might also include the Evo Shift 4G, the MyTouch 4G Slide, the upcoming Vigor, some Sensations, and "most likely others."

"It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door," Russakovskii says. You can read his complete post here.

Mobile Guides

Phones
Foldable Phones
Headphones
Mobile Accessories
Smartwatches
Wireless Plans
Mobile coupons