Jump to content

Wavesecure vulnerability!!! - need confirmation

Guest Xifer

By Guest Xifer
in HTC Desire

 Share

Recommended Posts

Guest Xifer

Guest Xifer

Posted
Posted

I'm using Modaco latest r8 rom with froyo 2.2. I noticed 2 things:

1. wave secure will not download my account data automatically when I factory reset. I need to register again which make it vulnerable. >> Anyone can disable wave secure

2. I don't even need to factory reset and I can reset wave secure by clearing the data in settings!!!!

I have tried in original HTC ROM 2.09(rooted) and flash in /system/app. same situation.

And I've tried that if wavesecure hasn't been register, you can't lock it from wavesecure.com

I don't know if this is due to the nature of froyo or it's been like this since 2.1

wave secure is practically useless right now on my phone!!

Anyone can confirm this?

Guest Thunderbirds

Guest Thunderbirds

Posted
Posted

im wondering if that how it works? becoz i saw in wavesecure website that even a factory reset ur account information will be back as normal, anyone else can confirm this?

Guest Thunderbirds

Guest Thunderbirds

Posted
Posted

im wondering if that how it works? becoz i saw in wavesecure website that even a factory reset ur account information will be back as normal, anyone else can confirm this?

Guest Diggedy

Guest Diggedy

Posted
Posted
I'm using Modaco latest r8 rom with froyo 2.2. I noticed 2 things:

1. wave secure will not download my account data automatically when I factory reset. I need to register again which make it vulnerable. >> Anyone can disable wave secure

2. I don't even need to factory reset and I can reset wave secure by clearing the data in settings!!!!

I have tried in original HTC ROM 2.09(rooted) and flash in /system/app. same situation.

And I've tried that if wavesecure hasn't been register, you can't lock it from wavesecure.com

I don't know if this is due to the nature of froyo or it's been like this since 2.1

wave secure is practically useless right now on my phone!!

Anyone can confirm this?

im having the same trouble although im sure it used to automatically re-register. The programs useless is anyone who knows what they are doing gets their hands on your phone

Guest tigris666

Guest tigris666

Posted
Posted

I hadn't considered this, but it makes sense. In order to flash a new ROM on my phone (which due to r8 being worked on, I am doing this 1-2 times a week), I take out my huge SD card, put in the SD card with the clockwork recovery update.zip and the new ROM on it. Boot phone with volume down etc, everyone should know the recovery method by now. Bam, new ROM is on, may or may not have wavesecure.

So, if I am in the business of stealing / re-selling android phones, wouldn't i just have a bunch of gold cards ready to flash any phone within minutes?

Surely I am missing something, wavesecure must be accessing a part of the phone that doesn't get flashed.

Guest Xifer

Guest Xifer

Posted
Posted
im having the same trouble although im sure it used to automatically re-register. The programs useless is anyone who knows what they are doing gets their hands on your phone

yes. it used to automatically register even after a new flash (ie. new MCR)

btw, i already opened a ticket to wavesecure. if they dont fix it anytime soon i might not renew my subscriptions(yes i missed the free beta trial whatever).

Guest nilezon

Guest nilezon

Posted
Posted (edited)

This should interest you guys:

http://secrep5265.blogspot.com/

If your phone is lost, so is your Wavesecure account, and all your backuped data.

Edit: It seems Wavesecure has disabled the settings auto-restore feature because of the security issue i mentioned above.

Edited by nilezon
Guest squrl

Guest squrl

Posted
Posted (edited)

Experiencing same behavior as OP. Wonder if they'll refund me...

EDIT: Just read the blogposts linked by nilezon and I can only say I am totally shocked. Deleting WaveUnsecure from my phone right now.

Edited by squrl
Guest Thunderbirds

Guest Thunderbirds

Posted
Posted

called them yesterday to enquire about hard phone reset function becoz i tried to do a factory reset and after that it didnt link my account back, The support guy said that the factory reset features is under development and estimate will be up again within 3 weeks, does this mean they are working to fix the LEAK or should i uninstall ? apart from wavesecure what other provider provide the similar features? i believe Mobile Defense is one of the best but to bad it only support US

Guest Xifer

Guest Xifer

Posted
Posted
This should interest you guys:

http://secrep5265.blogspot.com/

If your phone is lost, so is your Wavesecure account, and all your backuped data.

Edit: It seems Wavesecure has disabled the settings auto-restore feature because of the security issue i mentioned above.

let's hope they can fix it

Guest mmeikelinen

Guest mmeikelinen

Posted
Posted

You can lose trust only once...

I won't ever use this application. Who knows what can be found next. There are better alternatives available.

Guest Barry Bradford

Guest Barry Bradford

Posted
Posted

Never been a fan of WS - Always used Lookout - works fine for me :huh: phone locator is pretty damn accurate too!!

Guest nilezon

Guest nilezon

Posted
Posted
which is the better alternative?

I'm using Theft Aware (www.theftaware.com).

It's €10, but it is a one time fee.

A new version is under development, and it looks really promising. The Android development has been a little slow lately since the same company also make a version for Symbian, and they apparently have been focusing on that platform the last couple of weeks.

The new version is including hardware reset protection (encrypted settings file in /system folder) for rooted phones. I'm not sure when it will be released. I'm a beta tester and the new version is a release candidate right now, so I guess the finel version will be here in a few weeks.

The really good thing with Theft Aware is that it is fully stand alone. No company gets access to my phone location. This was the reason I chose this application in the first place.

Guest Thunderbirds

Guest Thunderbirds

Posted
Posted

ok so u're saying www.theftaware.com has everything same as WS? and have you installed it as system app ? btw does it support international

Guest Elbereth

Guest Elbereth

Posted
Posted

I don't know how they can make it much safer... The only information not lost with a hard reset is the IMEI... Best thing they can do is just retrieve a hash of the PIN and not the PIN itself and lock the phone until the pin is entered. It would still be possible to brute force the hash if they don't secure it correctly... The PIN is just numbers iirc and it is not specially long... Would be nice if only a fingerprint would unlock it. :huh:

Guest nilezon

Guest nilezon

Posted
Posted
I don't know how they can make it much safer... The only information not lost with a hard reset is the IMEI... Best thing they can do is just retrieve a hash of the PIN and not the PIN itself and lock the phone until the pin is entered. It would still be possible to brute force the hash if they don't secure it correctly... The PIN is just numbers iirc and it is not specially long... Would be nice if only a fingerprint would unlock it. :huh:

I'll tell you how to make it much safer:

First, they seem to use the the real pin and not a hash. If they insist on retrieving the program settings from the Internet, they should start using a salted hash (please note, it could still be hacked, so it isn't bullet proof).

Secondly, Theft Aware is using a fully local version, storing the settings needed on the /system partition, instead of retrieving them from some remote server.

The settings stored is a pin code hash and a friends phone number. The attacker could possibly brute force the hash to disable the system, but he/she could never use it for tracking my phone before it gets stolen. The real issue with Wavesecure isn't that the password is lost, but that you only need the IMEI number (not the physical phone) to get all backup data as well as start tracking the phone remotely. That is bad.

I'm not saying that Theft Aware is perfect, but the developer seem to have at least a little security knowledge.

You should pick whatever tracking application you like. Look around. BUT, do not use Wavesecure in it's current state.

Guest Xifer

Guest Xifer

Posted
Posted
Never been a fan of WS - Always used Lookout - works fine for me :huh: phone locator is pretty damn accurate too!!

First thing I'll do if I got your phone is to uninstall Lookout and that's it. You can scream but not your phone ;p

Lookout doesn't have any real security features. Good free backup service though.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept