evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should...
TRANSCRIPT
![Page 1: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/1.jpg)
evil maid on droidsor why you should never loose your android smartphone
@f0rki
2012-12-06
![Page 2: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/2.jpg)
Agenda
evil maids
detour: the android boot process
attack scenariosunrooted phonesadb accessrooted phones
protecting yourself
2 / 51
![Page 3: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/3.jpg)
Agenda
evil maids
detour: the android boot process
attack scenariosunrooted phonesadb accessrooted phones
protecting yourself
3 / 51
![Page 4: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/4.jpg)
evil maids
wat?
1. device left at hotel room2. maid comes in3. maid installs malware, fetches data, etc.4. ???5. PROFIT!!!
4 / 51
![Page 5: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/5.jpg)
evil maids
wat?1. device left at hotel room
2. maid comes in3. maid installs malware, fetches data, etc.4. ???5. PROFIT!!!
4 / 51
![Page 6: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/6.jpg)
evil maids
wat?1. device left at hotel room2. maid comes in
3. maid installs malware, fetches data, etc.4. ???5. PROFIT!!!
4 / 51
![Page 7: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/7.jpg)
evil maids
wat?1. device left at hotel room2. maid comes in3. maid installs malware, fetches data, etc.
4. ???5. PROFIT!!!
4 / 51
![Page 8: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/8.jpg)
evil maids
wat?1. device left at hotel room2. maid comes in3. maid installs malware, fetches data, etc.4. ???
5. PROFIT!!!
4 / 51
![Page 9: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/9.jpg)
evil maids
wat?1. device left at hotel room2. maid comes in3. maid installs malware, fetches data, etc.4. ???5. PROFIT!!!
4 / 51
![Page 10: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/10.jpg)
targets
� laptop is classic target� full disk encryption as mitigation
� modify unencrypted bootloader/kernel� secure boot as mitigation
� EFI SecureBoot on x86 PCs/Notebook� Reduced access on embedded devices
5 / 51
![Page 11: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/11.jpg)
targets
� laptop is classic target� full disk encryption as mitigation� modify unencrypted bootloader/kernel
� secure boot as mitigation� EFI SecureBoot on x86 PCs/Notebook� Reduced access on embedded devices
5 / 51
![Page 12: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/12.jpg)
targets
� laptop is classic target� full disk encryption as mitigation� modify unencrypted bootloader/kernel� secure boot as mitigation
� EFI SecureBoot on x86 PCs/Notebook� Reduced access on embedded devices
5 / 51
![Page 13: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/13.jpg)
a new victim arises
picture: thx sofie <3
6 / 51
![Page 14: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/14.jpg)
a new victim arises
picture: thx sofie <36 / 51
![Page 15: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/15.jpg)
![Page 16: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/16.jpg)
Agenda
evil maids
detour: the android boot process
attack scenariosunrooted phonesadb accessrooted phones
protecting yourself
8 / 51
![Page 17: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/17.jpg)
partition layout
� /system: OS binaries and config, android, framework� /data: user-installed apps, all user data� boot: kernel, fs root /� recovery: recovery system� cache: dalvik cache, other cached data� /sdcard /mnt/storage: music, videos, whatever . . .
Actual layout depends on device
9 / 51
![Page 18: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/18.jpg)
android boot process
for HTC/Qualcomm devices:1. baseband processor starts primary boot loader (PBL)
2. PBL starts secondary boot loader (SBL)3. app processor bootup – HBOOT bootloader4. HBOOT loads kernel/recovery
10 / 51
![Page 19: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/19.jpg)
android boot process
for HTC/Qualcomm devices:1. baseband processor starts primary boot loader (PBL)2. PBL starts secondary boot loader (SBL)
3. app processor bootup – HBOOT bootloader4. HBOOT loads kernel/recovery
10 / 51
![Page 20: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/20.jpg)
android boot process
for HTC/Qualcomm devices:1. baseband processor starts primary boot loader (PBL)2. PBL starts secondary boot loader (SBL)3. app processor bootup – HBOOT bootloader
4. HBOOT loads kernel/recovery
10 / 51
![Page 21: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/21.jpg)
android boot process
for HTC/Qualcomm devices:1. baseband processor starts primary boot loader (PBL)2. PBL starts secondary boot loader (SBL)3. app processor bootup – HBOOT bootloader4. HBOOT loads kernel/recovery
10 / 51
![Page 22: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/22.jpg)
security? – locked bootloaders
for HTC/Qualcomm devices:1. baseband processor starts primary boot loader (PBL)
verifies signature of sbl2. PBL starts secondary boot loader (SBL)
verifies baseband code and HBOOT3. app processor bootup – HBOOT bootloader4. HBOOT loads kernel/recovery
verifies signature on kernel/recovery
11 / 51
![Page 23: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/23.jpg)
bootloader unlocking
� disables signature checking/verification in boot process� allows booting of third-party code → yay, custom ROMS!
� bootloader unlocking� using fastboot tool
f a s t b o o t oem un lock
� usually does factory reset� erases /data/� remove device settings (e.g. saved wifi passwords)
� might need some proprietary tool or an exploit for unlocking
12 / 51
![Page 24: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/24.jpg)
bootloader unlocking
� disables signature checking/verification in boot process� allows booting of third-party code → yay, custom ROMS!
� bootloader unlocking� using fastboot tool
f a s t b o o t oem un lock
� usually does factory reset� erases /data/� remove device settings (e.g. saved wifi passwords)
� might need some proprietary tool or an exploit for unlocking
12 / 51
![Page 25: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/25.jpg)
HTC S-ON/S-OFF
� system, kernel, recovery is hardware-write-protected� “temp root” – rooted phones will be unrooted at next boot
� bootloader unlocking – S-OFF� submit device-specific token� flash signed blob� voids warranty
� unpublished exploit: revolutionary
13 / 51
![Page 26: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/26.jpg)
fastboot and co
� fastboot� “standard” protocol from AOSP� implemented in app processor bootloader (e.g. HBOOT)� can flash images to partitions� can directly boot kernels
� other proprietary protocols/tools exist� nvflash for Tegra devices� old Motorola: SBF + miniloader� flash images via usb-exported-ramdisk (archos)� etc. . .
14 / 51
![Page 27: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/27.jpg)
Agenda
evil maids
detour: the android boot process
attack scenariosunrooted phonesadb accessrooted phones
protecting yourself
15 / 51
![Page 28: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/28.jpg)
assumptions
� device has set a PIN/password/pattern� else you are totally f**cked anyway� face-unlock also sucks
� typical smartphone usage� google, facebook, twitter account set up
� access to storage device not possible� because of encryption� hardware protection� attacker can’t solder ;)
16 / 51
![Page 29: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/29.jpg)
Agenda
evil maids
detour: the android boot process
attack scenariosunrooted phonesadb accessrooted phones
protecting yourself
17 / 51
![Page 30: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/30.jpg)
prerequisites
� stock ROM� no adb� no root
18 / 51
![Page 31: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/31.jpg)
pull sdcard
19 / 51
![Page 32: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/32.jpg)
pull sdcard
how?
� pull sdcard� dump everything
what?
� personal data (pictures, music)� apps2sd
� e.g. /sdcard/Android/data/
� app backups
� probably nothing really critical� company phone – company data???
20 / 51
![Page 33: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/33.jpg)
pull sdcard
how?
� pull sdcard� dump everything
what?
� personal data (pictures, music)� apps2sd
� e.g. /sdcard/Android/data/
� app backups
� probably nothing really critical� company phone – company data???
20 / 51
![Page 34: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/34.jpg)
what about nexus s?
� there’s no sdcard!
� only internal storage� accessible via media transfer protocol (mtp)
� access only when unlocked� restricted access to data
21 / 51
![Page 35: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/35.jpg)
what about nexus s?
� there’s no sdcard!
� only internal storage� accessible via media transfer protocol (mtp)
� access only when unlocked� restricted access to data
21 / 51
![Page 36: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/36.jpg)
smudge patterns I
22 / 51
![Page 37: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/37.jpg)
smudge patterns II
23 / 51
![Page 38: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/38.jpg)
old news. . . boring stuff. . .
24 / 51
![Page 39: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/39.jpg)
Agenda
evil maids
detour: the android boot process
attack scenariosunrooted phonesadb accessrooted phones
protecting yourself
25 / 51
![Page 40: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/40.jpg)
prerequisites
� phone used personally and for development
� stock ROM� no root� adb enabled
26 / 51
![Page 41: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/41.jpg)
install malware
� create and install malicious app pulling all possible dataadb i n s t a l l com . example . Ang ryB i rd sS ta rTrek . apk
� still restricted access� give malware every possible android permission� still no access to most of /data/� no system or systemOrSignature level permissions
� pull� personal data� contacts/texts
27 / 51
![Page 42: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/42.jpg)
install malware
� create and install malicious app pulling all possible dataadb i n s t a l l com . example . Ang ryB i rd sS ta rTrek . apk
� still restricted access� give malware every possible android permission� still no access to most of /data/� no system or systemOrSignature level permissions
� pull� personal data� contacts/texts
27 / 51
![Page 43: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/43.jpg)
disabling keyguard via app
KeyguardManager keyguardManager = ( KeyguardManager )g e tSy s t emSe r v i c e ( Context .KEYGUARD_SERVICE) ;
KeyguardLock mkeyguardLock =keyguardManager . newKeyguardLock ( " un lock " ) ;
mkeyguardLock . d i s ab l eKeygua rd ( ) ;
� hitting back/home button might enable keyguard again� depending on the device and the rom� might also get you to launcher activity (=win!)
� solution: launch other activities/intents via our malicious appso no problem ;)
28 / 51
![Page 44: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/44.jpg)
disabling keyguard via app
KeyguardManager keyguardManager = ( KeyguardManager )g e tSy s t emSe r v i c e ( Context .KEYGUARD_SERVICE) ;
KeyguardLock mkeyguardLock =keyguardManager . newKeyguardLock ( " un lock " ) ;
mkeyguardLock . d i s ab l eKeygua rd ( ) ;
� hitting back/home button might enable keyguard again� depending on the device and the rom� might also get you to launcher activity (=win!)
� solution: launch other activities/intents via our malicious appso no problem ;)
28 / 51
![Page 45: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/45.jpg)
disabling keyguard via app
KeyguardManager keyguardManager = ( KeyguardManager )g e tSy s t emSe r v i c e ( Context .KEYGUARD_SERVICE) ;
KeyguardLock mkeyguardLock =keyguardManager . newKeyguardLock ( " un lock " ) ;
mkeyguardLock . d i s ab l eKeygua rd ( ) ;
� hitting back/home button might enable keyguard again� depending on the device and the rom� might also get you to launcher activity (=win!)
� solution: launch other activities/intents via our malicious appso no problem ;)
28 / 51
![Page 46: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/46.jpg)
disabling keyguard via app
KeyguardManager keyguardManager = ( KeyguardManager )g e tSy s t emSe r v i c e ( Context .KEYGUARD_SERVICE) ;
KeyguardLock mkeyguardLock =keyguardManager . newKeyguardLock ( " un lock " ) ;
mkeyguardLock . d i s ab l eKeygua rd ( ) ;
� hitting back/home button might enable keyguard again� depending on the device and the rom� might also get you to launcher activity (=win!)
� solution: launch other activities/intents via our malicious appso no problem ;)
28 / 51
![Page 47: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/47.jpg)
intercepting login credentials
1. install custom ca cert2. set proxy in network settings3. launch intercepting proxy4. grab stuff
� google auth token� facebook token, password� etc.
� no cert errors, since we installed a trusted CA cert� unfortunately not everything uses system proxy
� gapps, facebook work fine
29 / 51
![Page 48: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/48.jpg)
intercepting login credentials
1. install custom ca cert2. set proxy in network settings3. launch intercepting proxy4. grab stuff
� google auth token� facebook token, password� etc.
� no cert errors, since we installed a trusted CA cert� unfortunately not everything uses system proxy
� gapps, facebook work fine
29 / 51
![Page 50: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/50.jpg)
![Page 51: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/51.jpg)
google backups
� so we have the google auth token
� adding auth token to rooted phone→ provides access to everything backed up to google (in plaintext)
32 / 51
![Page 52: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/52.jpg)
google backups
� so we have the google auth token
� adding auth token to rooted phone→ provides access to everything backed up to google (in plaintext)
32 / 51
![Page 53: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/53.jpg)
google backups
� so we have the google auth token
� adding auth token to rooted phone→ provides access to everything backed up to google (in plaintext)
32 / 51
![Page 54: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/54.jpg)
so still no root. . .
� well. . . get root!� root via adb restore by Bin4ry (for Android 4.0 and 4.1)� mempodroid� ZergRush� Gingerbreak� . . .
33 / 51
![Page 55: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/55.jpg)
so still no root. . .
� well. . .
get root!� root via adb restore by Bin4ry (for Android 4.0 and 4.1)� mempodroid� ZergRush� Gingerbreak� . . .
33 / 51
![Page 56: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/56.jpg)
so still no root. . .
� well. . . get root!� root via adb restore by Bin4ry (for Android 4.0 and 4.1)� mempodroid� ZergRush� Gingerbreak� . . .
33 / 51
![Page 57: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/57.jpg)
Agenda
evil maids
detour: the android boot process
attack scenariosunrooted phonesadb accessrooted phones
protecting yourself
34 / 51
![Page 58: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/58.jpg)
prerequisites
� rooted phone� custom ROM, recovery� adb access
35 / 51
![Page 59: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/59.jpg)
well. . .
. . . you are totally screwed!
36 / 51
![Page 60: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/60.jpg)
well. . .
. . . you are totally screwed!
36 / 51
![Page 61: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/61.jpg)
the attack
adb p u l l / data / data /adb p u l l / system/ data /
� credentials� wifi passwords� all data� install malware/rootkits for future use
37 / 51
![Page 62: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/62.jpg)
the attack
adb p u l l / data / data /adb p u l l / system/ data /
� credentials� wifi passwords� all data� install malware/rootkits for future use
37 / 51
![Page 63: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/63.jpg)
the attack
adb p u l l / data / data /adb p u l l / system/ data /
� credentials� wifi passwords� all data� install malware/rootkits for future use
37 / 51
![Page 64: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/64.jpg)
prerequisites
� rooted phone� custom ROM, custom recovery� no adb access
38 / 51
![Page 65: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/65.jpg)
no adb access
� ok so no adb access
� but custom recovery (e.g. clockworkmod)
� remember the bootloader stuff?� bootloader is usually unlocked� we can boot/execute arbitrary code :)
39 / 51
![Page 66: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/66.jpg)
no adb access
� ok so no adb access� but custom recovery (e.g. clockworkmod)
� remember the bootloader stuff?� bootloader is usually unlocked� we can boot/execute arbitrary code :)
39 / 51
![Page 67: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/67.jpg)
no adb access
� ok so no adb access� but custom recovery (e.g. clockworkmod)
� remember the bootloader stuff?� bootloader is usually unlocked� we can boot/execute arbitrary code :)
39 / 51
![Page 68: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/68.jpg)
reboot menu
40 / 51
![Page 69: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/69.jpg)
no reboot menu
� drain power� load again� boot into recovery via shortcuts
� e.g. volume down + power button (HTC Desire S)
41 / 51
![Page 70: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/70.jpg)
installing rootkits via recovery
� recoveries allow flashing update.zip� usually used to flash new ROMs� most have usb mass storage mode for sdcard enabled
42 / 51
![Page 71: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/71.jpg)
typical update.zip structure
43 / 51
![Page 72: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/72.jpg)
the attack
1. write rootkit running as system service2. reboot phone to recovery3. install rootkit via update.zip4. reboot phone to normal OS5. exfiltrate all data over network
44 / 51
![Page 73: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/73.jpg)
the attack
1. write rootkit running as system service2. reboot phone to recovery3. install rootkit via update.zip4. reboot phone to normal OS5. exfiltrate all data over network
44 / 51
![Page 74: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/74.jpg)
prerequisites
� rooted phone� (custom ROM)� no custom recovery� no adb access� unlocked bootloader
45 / 51
![Page 75: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/75.jpg)
modify boot/recovery partition
� boot image contains kernel and init scripts� kernel-based rootkit (complicated)� malicious init scripts (easier)
� use fastboot to flash boot.img or directly boot into kernelf a s t b o o t f l a s h boot boot . img
� or: flash custom recovery and use previous vector via update.zip
46 / 51
![Page 76: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/76.jpg)
Agenda
evil maids
detour: the android boot process
attack scenariosunrooted phonesadb accessrooted phones
protecting yourself
47 / 51
![Page 77: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/77.jpg)
how to protect yourself?
� don’t root your phone/flash custom roms
� just kidding ;)
� just don’t loose your phone. . .� use encryption if possible� lock bootloader again, if possible� use stock recovery without options to flash zip� unfortunately no really good solution� AdbdSecure app
� screen locked: adb off� screen unlocked: adb on
48 / 51
![Page 78: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/78.jpg)
how to protect yourself?
� don’t root your phone/flash custom roms� just kidding ;)
� just don’t loose your phone. . .� use encryption if possible� lock bootloader again, if possible� use stock recovery without options to flash zip� unfortunately no really good solution� AdbdSecure app
� screen locked: adb off� screen unlocked: adb on
48 / 51
![Page 79: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/79.jpg)
how to protect yourself?
� don’t root your phone/flash custom roms� just kidding ;)
� just don’t loose your phone. . .� use encryption if possible� lock bootloader again, if possible� use stock recovery without options to flash zip� unfortunately no really good solution� AdbdSecure app
� screen locked: adb off� screen unlocked: adb on
48 / 51
![Page 80: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/80.jpg)
well. . .
. . . you are still totally screwed!
49 / 51
![Page 81: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/81.jpg)
well. . .
. . . you are still totally screwed!
49 / 51
![Page 82: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/82.jpg)
thx for the attention!
scared? ;)
questions?
50 / 51
![Page 83: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/83.jpg)
thx for the attention!
scared? ;)
questions?
50 / 51
![Page 84: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/84.jpg)
thx for the attention!
scared? ;)
questions?
50 / 51
![Page 85: evil maid on droids - or why you should never loose your ... · evilmaidondroids or why you should never loose your android smartphone @f0rki 2012-12-06](https://reader034.vdocuments.us/reader034/viewer/2022042214/5eb9c3a0ed16bf7a203f124d/html5/thumbnails/85.jpg)
references
� “Physical Drive-By Downloads” by @thekos� “Android Modding for the Security Practitioner” by Dan Rosenberg� “Smudge Attack on Smartphone Touch Screens” by Aviv et. al.
� Phone2Phone adbhttps://github.com/kosborn/p2p-adb/
� http://tjworld.net/wiki/Android/HTC/Vision/BootProcess
� http://wiki.opticaldelusion.org/wiki/Motoactv
� Root with adb restore by Bin4ry (works on 4.X)http://forum.xda-developers.com/showthread.php?t=1886460
� http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html
credits also go to: @theKos, @djrbliss, #droidsec, the moddingcommunity and everyone else I ripped of ;)
51 / 51