HTC IQRD Android Permission Leakage
| Release Date | 2012-04-20 |
| Application | IQRD on HTC Android Phones |
| Discovered by | Dan Rosenberg <drosenberg (at) vsecurity.com> |
| Vendor Status | Patch Released |
| CVE Candidate | CVE-2012-2217 |
| Reference | Original Advisory |
Product Description
The IQRD service is HTC's implementation of a Carrier IQ porting layer on several HTC Android phones. Carrier IQ is a data collection framework that may be deeply integrated into the Android application stack in order to provide cell carriers with detailed metrics data on device and network activity [1]. To complete the integration of Carrier IQ on a specific device, phone manufacturers provide a "porting layer" that allows the Carrier IQ service to perform specific actions that may vary by device.
Vulnerability Details
On December 22th, VSR identified a vulnerability in IQRD. The IQRD service listens locally on a TCP socket bound to port 2479. This socket is intended to allow the Carrier IQ service to request device-specific functionality from IQRD. Unfortunately, there is no restriction or validation on which applications may request services using this socket. As a result, any application with the android.permission.INTERNET permission may connect to this socket and send specially crafted messages in order to perform potentially malicious actions.
In particular, it is possible for malicious applications to:
- Trigger UI popup messages
- Generate tones
- Send arbitrary outbound SMS messages that do not appear in a user's outbox, facilitating toll fraud
- Retrieve a user's Network Access Identifier (NAI) and corresponding password, potentially allowing rogue devices to impersonate the user on a CDMA network
Versions Affected
The issue is confirmed to affect the HTC EVO 4G, HTC EVO Design 4G, EVO Shift 4G, HTC EVO 3D, HTC EVO View 4G, and HTC Hero on Sprint; and the HTC Vivid on AT&T.
Vendor Response
The following timeline details HTC's response to the reported issue:
| 2011-12-22 | Vulnerability reported to HTC |
| 2011-12-28 | HTC confirms receipt, indicates that fix is planned for early 2012 |
| 2012-03-10 | VSR requests status update |
| 2012-03-16 | HTC confirms fix has been published |
| 2012-03-26 | HTC requests clarification on finding |
| 2012-03-26 | VSR provides clarification on finding, requests confirmation on status of fix |
| 2012-04-02 | HTC provides confirmation of fix, requests further clarification |
| 2012-04-02 | VSR provides clarification on finding |
| 2012-04-12 | VSR provides draft advisory to HTC |
| 2012-04-13 | HTC provides corrections to advisory, requests disclosure date |
| 2012-04-20 | Coordinated disclosure |
Recommendation
HTC has issued a fix that will typically be provided as an OTA update by affected cell carriers. If the update has not automatically been installed, it is possible to retrieve the update manually by navigating to Menu -> Settings -> System Updates -> HTC Software Update -> Check Now.
The following software versions on Sprint are confirmed to resolve this issue:
| HTC EVO 4G | 4.67.651.3 |
| HTC EVO Design 4G | 2.12.651.5 |
| HTC EVO Shift 4G | 2.77.651.3 |
| HTC EVO 3D | 2.17.651.5 |
| HTC EVO View 4G | 2.23.651.1 |
The following software versions on AT&T are confirmed to resolve this issue:
| HTC Vivid | 3.26.502.56 |
All affected devices except the HTC Hero have received an over-the-air update. HTC and Sprint have declined to update the HTC Hero, citing its 2009 release, minimal current usage, and lack of malicious applications in the Android Marketplace exploiting this vulnerability.
Users should be aware that devices that no longer receive updates due to switching carriers may remain vulnerable.
Common Vulnerabilities and Exposures (CVE) Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2012-2217 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Acknowledgements
Thanks to HTC for their response and fix.
References
| 1. | Carrier IQ |
This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
See the VSR disclosure policy for more information on our responsible disclosure practices.
