Vulnerable Out of the Box: An Evaluation of Android Carrier Devices

Video thumbnail (Frame 0) Video thumbnail (Frame 1450) Video thumbnail (Frame 3042) Video thumbnail (Frame 5185) Video thumbnail (Frame 8797) Video thumbnail (Frame 9943) Video thumbnail (Frame 12363) Video thumbnail (Frame 15232) Video thumbnail (Frame 19471) Video thumbnail (Frame 21019) Video thumbnail (Frame 22046) Video thumbnail (Frame 23553) Video thumbnail (Frame 24802) Video thumbnail (Frame 27268) Video thumbnail (Frame 28323) Video thumbnail (Frame 30071) Video thumbnail (Frame 30956) Video thumbnail (Frame 32867) Video thumbnail (Frame 33979) Video thumbnail (Frame 39307) Video thumbnail (Frame 40787) Video thumbnail (Frame 42718) Video thumbnail (Frame 43989) Video thumbnail (Frame 45552) Video thumbnail (Frame 46475) Video thumbnail (Frame 48796) Video thumbnail (Frame 49811) Video thumbnail (Frame 51020) Video thumbnail (Frame 52318) Video thumbnail (Frame 55024)
Video in TIB AV-Portal: Vulnerable Out of the Box: An Evaluation of Android Carrier Devices

Formal Metadata

Title
Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Pre-installed apps and firmware pose a risk due to vulnerabilities that can be pre-positioned on a device, rendering the device vulnerable on purchase. This means that the vulnerabilities are present even before the user enables wireless communications and starts installing third-party apps. To quantify the exposure of the Android end-users to vulnerabilities residing within pre-installed apps and firmware, we analyzed a wide range of Android vendors and carriers using devices spanning from low-end to flagship. Our primary focus was exposing pre-positioned threats on Android devices sold by United States (US) carriers, although our results affect devices worldwide. We will provide details of vulnerabilities in devices from all four major US carriers, as well two smaller US carriers, among others. The vulnerabilities we discovered on devices offered by the major US carriers are the following: arbitrary command execution as the system user, obtaining the modem logs and logcat logs, wiping all user data from a device (i.e., factory reset), obtaining and modifying a user’s text messages, sending arbitrary text messages, and getting the phone numbers of the user’s contacts, and more. All of the aforementioned capabilities are obtained outside of the normal Android permission model. Including both locked and unlocked devices, we provide details for 37 unique vulnerabilities affecting 25 Android devices with 11 of them being sold by US carriers. In this talk, we will present our framework that is capable of discovering 0-day vulnerabilities from binary firmware images and applications at scale allowing us to continuously monitor devices across different manufacturers and firmware versions. During the talk, we plan to perform a live demo of how our system works.
Android (robot) Game controller Server (computing) Android (robot) Computer network Cryptography System call Number Performance appraisal Exclusive or Message passing Performance appraisal Root Prime ideal Smartphone Right angle Physical system Vulnerability (computing) Physical system
Android (robot) User interface Euclidean vector Code Stack (abstract data type) Component-based software engineering Strategy game Software framework Process (computing) Endliche Modelltheorie Physical system Vulnerability (computing) Social class Service (economics) Block (periodic table) Attribute grammar Bit Instance (computer science) Latent heat Message passing Process (computing) Point (geometry) Mobile app Service (economics) Computer file Connectivity (graph theory) Declarative programming Interprozesskommunikation Attribute grammar Oscillation Root Googol Message passing Computing platform Default (computer science) Mobile app Default (computer science) Focus (optics) Android (robot) Content provider Code Field (computer science) Cartesian coordinate system Vector potential Component-based software engineering Broadcasting (networking) Function (mathematics) Computing platform Backdoor (computing) Library (computing)
Email Android (robot) Presentation of a group Greatest element System call Code File format Mereology Leak Uniform resource locator Blog Tower Software framework Process (computing) Vulnerability (computing) Email Token ring Electronic mailing list Data storage device Range (statistics) Instance (computer science) Message passing Process (computing) Sample (statistics) Right angle Modem Asynchronous Transfer Mode Point (geometry) Game controller Mobile app Service (economics) Identifiability Mobile Web Cellular automaton Maxima and minima Directory service Login Discrete element method Factory (trading post) Computer-assisted translation Message passing Firmware Address space Vulnerability (computing) Haar measure Interface (computing) Uniqueness quantification Android (robot) Plastikkarte Login Library catalog Directory service Cartesian coordinate system Number Charge carrier Address space
Point (geometry) Android (robot) Functional (mathematics) Mobile app Service (economics) Computer file Maxima and minima Directory service Data storage device Plastikkarte Login Blog Videoconferencing Moving average Computer-assisted translation Message passing Booting Computing platform Physical system Modem Mobile app Android (robot) Electronic mailing list Cartesian coordinate system Data management Uniform resource locator Physical system Modem
Slide rule Mobile app Installation art Service (economics) Computer file Data storage device Content (media) Plastikkarte ACID Directory service Cartesian coordinate system Login Binary file System call Computer programming Sign (mathematics) Radical (chemistry) Message passing Buffer solution Queue (abstract data type) Reading (process) Modem Modem
Touchscreen System call Multiplication sign Set (mathematics) Database Parameter (computer programming) Traverse (surveying) Mathematics Blog Different (Kate Ryan album) Kernel (computing) Single-precision floating-point format Videoconferencing Vulnerability (computing) Physical system Touchscreen File format Data storage device Parameter (computer programming) Bit Message passing Process (computing) Order (biology) Bridging (networking) Quicksort Physical system Modem Spacetime Asynchronous Transfer Mode Point (geometry) Reading (process) Asynchronous Transfer Mode Mobile app Computer file Line (geometry) Directory service Data storage device Diallyl disulfide Plastikkarte Login Number Broadcasting (networking) Root String (computer science) Queue (abstract data type) Energy level Computer-assisted translation Message passing Default (computer science) Mobile app Default (computer science) Interface (computing) Android (robot) Plastikkarte Directory service Library catalog Cartesian coordinate system Cryptography System call Power (physics) Word Kernel (computing)
Touchscreen Mobile app Touchscreen Factory (trading post) Data recovery Videoconferencing Booting Vulnerability (computing) Asynchronous Transfer Mode
Mobile app Touchscreen Mobile app Multiplication sign Interface (computing) Android (robot) Set (mathematics) Trigonometric functions Number Message passing Latent heat Factory (trading post) Bridging (networking) Videoconferencing Factory (trading post) Video game Arithmetic progression Computing platform
Mobile app Sign (mathematics) Cache (computing) Duality (mathematics) Mobile Web Data recovery Factory (trading post) Cartesian coordinate system Booting Partition (number theory) Asynchronous Transfer Mode
Point (geometry) Mobile app Server (computing) Service (economics) Computer file Data recovery Declarative programming Broadcasting (networking) Cache (computing) Factory (trading post) Booting Partition (number theory) Computing platform Vulnerability (computing) Physical system Social class Mobile app Service (economics) Data recovery Android (robot) Group action Cartesian coordinate system Cache (computing) Process (computing) Quicksort Physical system Asynchronous Transfer Mode
Reading (process) Touchscreen Keyboard shortcut Functional (mathematics) System call Service (economics) Euclidean vector Computer file Parameter (computer programming) Number Graphical user interface Blog Synchronization String (computer science) Videoconferencing Factory (trading post) Flag Energy level Row (database) Message passing Proxy server Social class Physical system Mobile app Block (periodic table) Keyboard shortcut Android (robot) Attribute grammar Single-board computer Mathematics Number Event horizon Function (mathematics) Videoconferencing Physical system
Reading (process) Touchscreen Keyboard shortcut System call Code Rechtschreibprüfer Data storage device Menu (computing) Regular graph Whiteboard Read-only memory Set (mathematics) Factory (trading post) Row (database) Message passing Default (computer science) Mobile app Android (robot) Bit Cartesian coordinate system System call Open set Mathematics Number Message passing Event horizon Videoconferencing Physical system
Point (geometry) Service (economics) Code Civil engineering Rechtschreibprüfer Directory service Cartesian coordinate system Type theory In-System-Programmierung Videoconferencing Row (database) Software framework Key (cryptography) Videoconferencing Message passing
Mobile app Android (robot) Default (computer science) Keyboard shortcut Mobile app Code Keyboard shortcut Rechtschreibprüfer Set (mathematics) Cartesian coordinate system Code Type theory Broadcasting (networking) Mathematics output Text editor Game theory Message passing
Mobile app Reading (process) Keyboard shortcut Touchscreen Mobile app Euclidean vector Android (robot) Attribute grammar Digital object identifier Tablet computer Mathematics Number Event horizon Sample (statistics) Function (mathematics) Website Key (cryptography) Videoconferencing Message passing Firmware Physical system Computing platform Vulnerability (computing)
Android (robot) Group action Scripting language Run time (program lifecycle phase) Thread (computing) User interface Code Source code Function (mathematics) Parameter (computer programming) Mereology Graphical user interface Entropie <Informationstheorie> Process (computing) Multiplication Vulnerability (computing) Exception handling Physical system Scripting language Source code Message passing Buffer solution Right angle Physical system Mobile app Computer file Login Rule of inference Number Revision control Writing Broadcasting (networking) String (computer science) Gastropod shell Energy level Computer-assisted translation Computing platform Disassembler Vulnerability (computing) Physical law Heat transfer Directory service Line (geometry) Group action Cartesian coordinate system Timestamp CAN bus Broadcasting (networking) Logic String (computer science) Function (mathematics) Einbettung <Mathematik> Gastropod shell Flag
Mobile app Scripting language Computer file Directory service Writing Mathematics Firmware Computing platform Vulnerability (computing) Condition number Mobile app Vulnerability (computing) File format Computer file Android (robot) Heat transfer Directory service Message passing Sample (statistics) Function (mathematics) Entropie <Informationstheorie> Website Gastropod shell Key (cryptography) Table (information) Physical system
Dataflow Android (robot) Keyboard shortcut Socket-Schnittstelle Functional (mathematics) Mobile app Set (mathematics) Branch (computer science) Mathematical analysis Mathematics Hooking Videoconferencing Energy level Software framework output Text editor Computing platform Physical system Default (computer science) Constraint (mathematics) Key (cryptography) Forcing (mathematics) Mathematical analysis Cartesian coordinate system Message passing Process (computing) Personal digital assistant Software framework Library (computing)
Point (geometry) Mobile app Dataflow Dataflow Graph (mathematics) Mathematical analysis Internet service provider Philips CD-i Cartesian coordinate system Process (computing) Condition number Control flow graph Computing platform Physical system Condition number
Ocean current Mobile app Probability density function Touchscreen Mobile app Server (computing) Touchscreen Data storage device Plastikkarte Cartesian coordinate system Broadcasting (networking) Message passing Latent heat Function (mathematics) Videoconferencing Quicksort Booting Physical system Electric current Physical system Flag
Mobile app Probability density function Asynchronous Transfer Mode Touchscreen Democratic Action Party Android (robot) Expert system Cartesian coordinate system Connected space Crash (computing) Langevin-Gleichung Physical system Flag
Asynchronous Transfer Mode Functional (mathematics) Mobile app Computer file Code Mobile Web Insertion loss Login Field (computer science) Interprozesskommunikation Number Template (C++) Revision control Broadcasting (networking) Blog DDR SDRAM Videoconferencing Factory (trading post) Message passing Computing platform Modem Service (economics) Namespace Wrapper (data mining) Data recovery Computer program Content (media) Bit Line (geometry) Cartesian coordinate system Vector potential Number Message passing Process (computing) Repository (publishing) Internet service provider Factory (trading post) Revision control Interface (computing) Resultant Modem Booting
Touchscreen Haar measure Demo (music) Source code Cartesian coordinate system Modem
Point (geometry) Broadcasting (networking) Slide rule Group action Message passing Computer file Single-precision floating-point format String (computer science) Data recovery Booting Asynchronous Transfer Mode
Demon Point (geometry) Mobile app Server (computing) Run time (program lifecycle phase) Computer file Data recovery Menu (computing) Mereology Broadcasting (networking) Crash (computing) Exclusive or Cache (computing) Root Different (Kate Ryan album) Gastropod shell Booting ASCII Physical system Mobile app NP-hard Run time (program lifecycle phase) Magneto-optical drive Cartesian coordinate system System call Inclusion map Exclusive or Category of being Message passing Root Prime ideal Online service provider Network socket Computing platform Gastropod shell Routing Modem Asynchronous Transfer Mode Cloning
Demon Email Presentation of a group Run time (program lifecycle phase) Length Multiplication sign Direction (geometry) Mereology Software bug Ubiquitous computing Network socket Information security Physical system Vulnerability (computing) Email Software developer Sampling (statistics) Category of being Type theory Arithmetic mean Process (computing) Interface (computing) Freeware Digital filter Functional (mathematics) Game controller Mobile app Service (economics) Computer file Observational study Connectivity (graph theory) Rule of inference Zugriffskontrolle Latent heat Root Software testing Firmware Traffic reporting Address space Computing platform Mobile app Multiplication Dependent and independent variables Inheritance (object-oriented programming) Key (cryptography) Android (robot) Cartesian coordinate system Component-based software engineering Personal digital assistant Factory (trading post) Charge carrier Routing Address space
they're talking about vulnerable out-of-the-box and evaluation of Android carrier devices I'm sure that's going to be exciting right now but here they are enjoy the con alright first I'd like to thank everyone for coming my name is Ryan Johnson I'm from crypto wire and I collaborated with Angelo Stavrou for this research so why are we
doing what we're doing the short answer is the be proactive look for vulnerabilities responsibly disclose them to minimize any impact to the end-user so there's some recent examples for Android and on the right is from the New York Times when we found that New York are the number one selling unlocked smartphone on Amazon with sending the users text messages and call log to a server in China every three days and it also had a commanding control channel where it could execute commands is the system user so you can see the Android
software stack and mostly where we're gonna focus is up at the top at the pre-installed apps also the android framework and some system libraries so anytime you have an Android device there's going to be some pre-installed apps on there and they can run as soon as you turn the device on some of these apps like platform apps and other pre-installed apps cannot be disabled so if there's a vulnerability in them you're kind of left to try and potentially root your device assuming there's a root strategy available and remove it or wait for a firmware update that fixes it and some of the platform apps they run as a system user which is very privileged so if there's a vulnerability in there an attacker can get some pretty nice capabilities so some of these applications you know can be malicious or insecure and Android vendors when they take Android AOSP code sometimes they customize it a little bit just to differentiate themselves and in doing this they can introduce vulnerabilities so here's a little
primer on Android when you're building an Android app there are certain functional blocks from which you can build your application they're provided there and each of these can provide is a potential entry point into the application when you create an Android application you declare them in the androidmanifest.xml file and you communicate with that components using intents so that's just the framework provided API class which services a message to send to an app component and you can also embed data in them so what makes an application component accessible or not to other processes on the device its regulated by two attributes that would be present in the application component declaration in the manifest file so and there are some instances where Android will by default export an application component so if it doesn't use the Android exported attribute and it contains at least one intent filter Android will export this by default even though you didn't say set Android exported equals to true so at the bottom there's a a service that's being declared and this service is exported by default and using it you can actually download and install an application so here's the threat model a
low privileged third-party app needs to be present on the device and this can reach the device either by repackaging so taking an application inserting code into it putting it onto a third-party market phishing sending it directly to the target or remote exploit we saw with the aid UPS command and control channel that that was over HTTP and using that you could just man-in-the-middle it and say download this application install it and run it or it could be part of the second stage exploit generally the attack the permission requirements are potentially no permissions or read external storage because read external storage we've noticed they have pre installed applications some of them will just dump data to the SD card and so the the application is a malicious app without malicious permissions that is leveraging a pre-installed app an open interface in the pre-installed app to get some resources or capabilities that it cannot access directly so here's a list of some of the vulnerabilities we found we process more than 500 firmwares and it shows the device the vulnerability as well as the carrier and we have a framework scanning for vulnerabilities in a pipeline with additional vulnerabilities that haven't yet been disclosed and in this presentation we're gonna try and cover all of them so starting off with ZTE we looked at a bunch of ZTE devices on carriers and each ZTE device we looked at contain this vulnerability so you can see the devices at the bottom and essentially any application on the device can interact with a custom service that they have and have this service start writing the modem log and the log cat log to the SD card in the log catalog the system-wide one is not directly accessible to third-party applications no matter what permissions they request and when this logging is occurring there's no visual or audible cue to the user that this is occurring and it writes it to base directory of just SD card SD underscore logs so here
are some instances of things that we've seen in the log catalog so any process on the device can write any arbitrary message to the log it's a shared resource so if you leaked a data there it's going to show up in the log the example up at the top right that is from fortune 500 Android fortune 500 banks Android app and the device or the application writes the user credentials to the log some devices we've seen have the messaging app in debug mode so at that point you'll see the destination of the text message as well as the body of the text message and we've also seen things like unique device identifier users email address and GPS coordinates
so due to the log being a shared resource and that any application can write arbitrary data there it was moved from an application for mission that a third-party app could get to a system or platform permission in Android 4.1 here's a list of some devices as well as the carrier and some unlocked devices where a third-party application can have pre-installed that on that device start writing the log to a location the system-wide log to a location that it can access and I've got a question for the audience does anybody know how to interact with a bound service without the accompanying a IDL file ok so this is how it works on the CTE device there's a pre-installed platform app this app right after boot registers itself as a custom service called modem service the third-party apps as give me a handle to this service it gets the handle from the Android OS service manager and this service that it obtains is like a mini Service Manager that often offers five services so you get the SD log service and at this point then you just call three functions and it will start writing the logs the modem logs and for this it's specifically the modem log although the log cat log is done in a very similar way except just with a different service and we have a
video for that
so here just going terminal application going to the SD card going to the directory where it writes them just showing that it's not there so for a third-party application to actually access the modem log which you know contains the users text messages and call data they would need to read external external storage permission to access it so just installing some app it's going to be done by an activity in the foreground this could be done in the background by a service going back to the terminal that directory should be there now and the the modem logs are actually in a queue MDL file which is a binary file there is a program to access it to parse it out I don't have that program but I can still identify where the text messages are and show you in a slide soon so here's the logcat log which they should have a file for for different log buffers and it's just going to continue writing to them anytime the device is on so just a Lessing to show that the size is increasing and then just catting it to show the contents of it and then we'll go back to the base directory to look at the queue MDL file we're unsure if this actually contains voice data from the telephony but it does contain the text messages and incoming and outgoing calls
so this just parsing the Q MDL file you can see the the text messages and incoming and outgoing one the phone number is in Reverse byte order and the actual body of the text message is in seven bit packed format and so it's just a incoming and outgoing text message and then just the calls that you make also show up in this queue MDL file and moving on switching to LG we have some vulnerabilities here you can also obtain the system-wide logcat log except this you can get it written to the attacking applications private directory so you don't need any permissions and you can see the device is affected it's generally written to the SD card but that you can use path traversal and you can also inject a parameter argument to the command that's X being executed to get all of the logs you can also lock the user out of their device so a zero permission app can just send a single broadcast intent and the screen lock will not let the user in I'll show a video of that soon there's another pre-installed app where you send it a broadcast intent and it's going to write a database full that contains snippets of the logcat log and the kernel log to external storage so to get the system-wide log cat log there's a pre-installed app it will execute the command that's shown in the first bullet this when you activate it by sending in an intent you can actually provide the path there's the default path and the second bullet so if you just do double dot slash four times it takes you back down to the root directory and then you just that on slash data / dat a-- a package name and then a file in your private directory and at that point that does require some file permission changes which any app can do you need to have the apps private directory globally executable and you need to create that file or create the file that you're going to write to and then make it globally writable so this system process can append to it but you'll still own the file and in the intent you can provide an ArrayList of string and in these strings it's essentially just a log tag to add to the command but and it depends a call and V to it just to give any log message at any log level for that log tag but in red if you just do the wild-card : V this will give you every single log message in the log and then space and then any arbitrary word and then that gets added to the command and then it's going to start writing the system-wide log catalog to the attacking applications private directory so you
can also lock the user out of their device so this makes the screen lock essentially unresponsive except for making emergency phone calls and this is done the system UI app as an exported interface where you send it a broadcast intent and at this point it's going to lock the screen and this screen lock is active in safe mode so in safe mode third-party apps are running but pre installed applications are running but it reads from system UI app will read from system settings and keep the lock in place this sort of thing could be used for a crypto let's ransomware where you could provide messages at the bottom they're called toast messages informing the user you know where to pay to unlock it and the user if they have enabled a DB prior to the screen lock attack they can unlock it if they are crafty and look around change manually changed the settings and/or send a different broadcast intent to unlock it so have a
video so this just showing we have a
screen lock on and also LG patched all these vulnerabilities so just a zero permission app installing it it should run for a second and then the screen
lock you can't really do much with it so unless you know you can figure you have a DB enabled it's prior to that and you can figure out how to do it you're gonna have to boot into recovery mode and factory reset the device potentially lose data to actually recover it
so they're speaking of factory resets we also found that a number of devices some of them carrier some of them unlocked exposed to the capability to perform a factory reset if you have an Android phone you've gone into the Settings app and seen erase data this it will perform a factory reset this is generally done just by an exposed interface in a platform act where zero per finishin app sends it a specific intent message and then it will programmatically go and wipe the device and any user data that is not backed up somewhere will be lost so if you've been playing a video game for a long time made a lot of progress that's potentially gone as well as text messages and pictures so we have a video
for that
so this is a t-mobile rebel device and we're going to just install an application it shows that it doesn't have any permissions there so and then it boots into recovery mode and then wipes the data in cache partitions
so this is kind of the workflow to do it on the essential phone so just any application on the device it can have no permissions it starts an activity art art en reset activity that's in a pre-installed platform app which is very privileged that activity then starts with another activity which is going to send the master clear broadcast intent and this will be received by the system server process the system server process provides applications with all sorts of services so the master clear receiver receives this it calls an internal API class recovery system and a method called rubra reboot wipe user data and at this point it writes - - wipe underscore data as well as a few things - the file on the cache partition cache recovery command then boot reboots into recovery mode and then just wipes the data and cache partitions so also we did find arbitrary command execution as the system user through a vulnerable platform app on the Asus zenfone 5 live device so we talked about the androidmanifest.xml file earlier here's the entire manifest file for the application so in red just showing that it's a platform app running a system blue is a package name red is exported meaning any application can interact with it and orange is the name of it and the service declaration is provided in bold so this is a bound service we don't
have the a IDL file but this can be found out by looking at the stub class and the stub proxy class for the service so you know usually if you had the IDL file you could use some RPC which would make it easy but since you don't you have to go one level down actually get the I bind your reference called the correct a function number for it and populate any parameters in the parcel so here is just writing a string to the parcel also using one flag one way so it's synchronous and doesn't block and here
are some of the capabilities once you have arbitrary command execution a system user what you can do and we have a video for that
so here just going to the applications
that are installed this called DEFCON 26 you'll see that it doesn't have any permissions click around on it for a little bit so there's a nice little menu
if you want to obtain the user's text messages you can the way it's being done takes a little bit and I'll explain why so just getting the users contacts looking at the call log also this application has the code to be a notification listener embedded in it so it can obtain the users note of active notifications receive them when they
come in it can go take a screenshot so that shows up in the applications
directory you can also this application has the code from the spelling checking framework it implements a spell checking service so at this point when the users typing something and it doesn't work in all applications only when the spell checker kicks in but you can kind of see
what they type and also record a video of kind of what the users doing so here
just playing some game and trying not to die also this application if you want to implement a keyboard on Android it's called an input method editor so the
previous keyboard was actually the standard looking keyboard it has the
code to be an input method editor so it's going to change the settings to set itself as the keyboard so the keyboard is going to look different I mean if you wanted to be malicious you would want to try and have it match the default keyboard but the the keyboard you'll see soon will be blue so it's going to swap the keyboard it's this it just writes some changes settings to have the keyboard be the one that it's implemented in its code and then any key codes that are pressed are going to be transferred to the malicious app via a dynamically registered broadcast receiver and this will get something you know everything that you type so going to type something delete it and then type something else and then just keeping a log of what the user typed
and then calling 9-1-1 which if you can
do i talk to a nice gentleman who was
kind of understanding about it once I explained why I was doing it so we also once we saw that on Asus devices we they provide actually the firmware on the website and also historical firmware so we downloaded a bunch just to see what was vulnerable and also we also found that tablets had this vulnerable platform app then we also wanted to find
out when it was introduced so we focused on one device which was the Asus zenfone 3 and saw that it was introduced around March 2017 and then it further got introduced into all other markets except for China which was just stated Android 6.0 1 which is a non vulnerable version
and this is a non-us carrier device but it's a device that's popular in Asia it's called AF 5 and this vulnerability has been patched and they also went and after this became a CNA which we thought was a very good thing so there's an application on here which is a very simple application we took the o Dex file and then provided the source code for it so essentially it just has a thread and it will take a string and then execute it as the system user and on the lower right is actually just the code to execute it so another question for the audience so does anybody have a good way if you just have access to runtime exec to make the vulnerable app write a script and then execute it okay so what we did one of the devices we looked at actually the platform app that seen Linux rules prevented the platform app from reading and writing from an untrusted 30 part or third-party apps private directory although all the other devices allow that but this device prevented that so just using runtime exec is kind of limiting we would you know want to have some logic in there as well as some output redirection so the approach that we came up with to do that is just to select a string with high entropy and then in the attacking hack create a dynamically register a broadcast receiver that has an action string of that high entropy string and then from there start writing to the log using a log tag of that high entropy string and then each log message contains one line of the shell script to execute you can see it at number two from there since you have command execution you make it execute the command in bold so this makes it there's a bunch of parameters to it so it's just a law cat command - be raw just gets you the actual log messages as opposed the log tags and any timestamp stuff - s-silence is every other tag except the one that you want which is that high entropy string at any log level - eff writes the log messages to a shell script in the vulnerable apps private directory and then - the makes it dump the log as opposed to keep reading from it so it just dumps a log buffer so that's going to write your script to the vulnerable apps private directory and then you just change the file permissions on it and then execute it and the example here is just to get the text messages write it to a file in its private directory and then send that file using a broadcast intent and embedding it in there to be attacking apps to the attacking app and then if
you relax some of the conditions if they can write to the vault a vulnerable platform app that they can write to the third party a private directory then you can just have it right directly in there with the text messages shown here and that it require requires the file permission changes that I mentioned earlier making the attacking apps private directory globally executable and creating an empty file and making it globally writable so Oppo does provide the
firmwares on its website at least the most recent one so we downloaded some of those just to see what's vulnerable it's segmented by country market and we downloaded more except they use a no zip format which is you know encrypted we were able to get some of them but not all of them and this table is ordered chronologically with most recent first and if you do have command execution as
a system user if the whole if the attacking half implements an IME or a spellchecker those are just the commands to actually change it in settings if the platform app has the privileges to change system settings so we have an analysis framework we have something called force path execution which will you know take a firmware unpack it and then process all of the apps in parallel and the force path execution it can actually force into certain branch constraints just in case there's any triggered functionality to try and make the application show all of its behavior under you know any circumstances we also do some static analysis obtaining an analysis to see if there's any vulnerable flows to see if there's you know say that obtaining the users text messages to see if that flows to a network socket and then also using a custom Android build where we control the the framework key we can perform some hooking a framework level and also hook some of the library calls see how the application is interacting with the system and man-in-the-middle the traffic and we have a video
so we there's three vulnerable platform apps that have command execution as a system user so just performing some taint analysis building the control flow graphs also the data flow graphs and then looking to see if there's any paths and data that actually flow from the application entry point to runtime exec or process builder to see if there's you know any vulnerable or any paths as well as the path conditions of what it would actually take to reach that path we also
found that certain devices have the capability where a third-party app can initiate the taking of a screen shot so this is generally from system server being modified there will be a broadcast receiver where if you send it a specific intent message it will take a screenshot and if an application has read external storage it can read from the SD card also expand the status bar to see what the users current notifications are and this sort of thing isn't transparent to the user so they can see it but an application if it knows the user hasn't been using the device for a while it can even though there's a screen lock come into the foreground bring down the notification bar take a screenshot and then use a generic attack to soft reboot the device to get rid of the notification so we have a video showing
that so there's an active screen lock on
the device the application runs takes a
screen shot
shows up in the applications imageview and then it it's going to cause a system crash because that screenshot does leave
a notification so it wants to remove that not to alert the user
we also found an application on certain devices which allows any third-party application without any permissions to send text messages read text messages modify them and also obtain the phone numbers of the users contacts the package names are provided there one of the package package names is actually just a refactored version of the other so the namespace is a little different but the functionalities the same and this is a platform app that can't be disabled so looking at the manifest file for the application the receiver up at top and read it's exported and if you send an intent message with the correct fields that it's looking for such as the message to send and the phone number to send to it will go on and send a text message for you and there's also seven content providers which are exported and that's usually a kind of strange behavior a little bit because they tend to contain their repository for data so that opens it up to any process on the device and they actually act as a wrapper so you can't weird this content provider it's going to query the text message content provider get the results pass that back to you so moving on to
the ZTE zmax champ device so there's a pre-installed platform app here which will just allow any application on the device to cause a factory reset resulting in potential data loss for the user there's also a way to get the logcat logs and modem logs that were described previously and you can also if you have just the standard zero permission third-party app just with a standard template with all the callbacks you can make this device non-functional with essentially one line of code by sending a broadcast intent to a specific app and we have a video
showing that so this is the ZTE zmax
champ device we're gonna install an application on it I got to allow third-party sources so it doesn't have any permissions that's what that screen shows you're gonna cancel that so this application is just going to
send a single broadcast intent message with a particular action string it's going all explain the workflow in the next slide but essentially what's going
to happen is it writes a certain value to a file that's going to be processed in recovery mode and as far as we can tell it's going to encounter a fault boot back in the recovery mode encounter the same fault while trying to erase it and it appears this is due to them using a non AOSP command in recovery which I'm not sure is just not handled but essentially that device will just keep doing that until it runs out of battery and we weren't able to find a way to boot into an alternate mode at that point
so here's a workflow for it it's just a you know a zero permission a third-party app on the device it sends a broadcast intent message there's an application that has hidden menu in the package name and usually those are apps you want to look at so it sends that broadcast intent it receives it and then it's going to go on and send a different broadcast intent and it's called master clear data carrier this again is going to be received by the master clear receiver that's in system server at this point it calls an on a OSP api method call in recovery system called reboot wipe user data and carrier it writes that file shown in step 5 there's - - wipe carrier which is not part of a OSP and then it's going to write it to that file reboot into recovery and then it's going to go into recovery and just perpetually crash in recovery mode so here's moving to Alcatel this is an unlock device this was sold a while ago as an Amazon Prime exclusive so it would have some of the Amazon apps on there and be at a discounted price and this device allows read-only properties to be modified at runtime which is not the standard behavior so if you have a DB enabled you can execute those commands below just setting ro debuggable to 1 and then ro secure to zero and then a DB root that's going to restart a DB daemon running his route as opposed to adb shell and then disabling selinux and then at that point you have a root shell one thing we noticed on this
device we looked at the init RC file which contains commands for the init process to execute and there's a directive so if ro debuggable gets sent to one to start a process this process the BT W land daemon and it will go on and start binary called factory test that's running as root so once that property gets changed that that process starts executing his route and it essentially its function is to listen to commit listen creates a socket you know you can send to the socket commands and it will execute them as route we weren't able to do that from a third-party application but we did notice that app platform apps actually can modify that permission it run for that property at runtime to make that socket show up were unsure assistive platform user can actually write to it but defender contain controls the SELinux rule so if they wanted to they would be pretty close to getting command execution as route and just kind of to conclude many of these vulnerabilities were just done by insecure access control so there were a lot of exported components which you know don't necessarily need to be open to every third-party application on the device also if you're an app developer you don't want to assume that you know just because an application doesn't have the a IDL file for the bound service that they can interact with it somebody will be able to figure that out and you know access it if you are executing commands as a system user and somehow that gets exported you would at least want to filter commands just so it's not any arbitrary commands only actually what's needed and just from the responsible disclosure process all of these vulnerabilities were responsibly disclosed although sometimes it's difficult to find you know who exactly to talk to who's going to escalate it quickly so if there was a common email address to send to that would facilitate things and also we have a report if you're interested send us an email and does that anybody have any questions hey I didn't look at anyone Plus devices yes I'm sorry so the question was if we looked at anyone plus phones because they actually have the parent company is I think BBK Electronics which owns Oppo vivo and oneplus but and I like we haven't looked at one plus devices one of the things that I want to point out is that the devices that we show today are a small sample of the devices that we have identified as being Barbour clearly the death length of the talk does not allow us to talk about all the devices that we have found but there were more than 26 devices that we have currently identified the ditch clothes as part of the report and we have an ongoing pipeline of devices that we have identified that are vulnerable and we're in the process of disclosing into the vendors the the key here is a a lot of the devices come with a lot of the a lot of the OEMs here vulnerabilities that the devices come from the factory directly to the user and these these vulnerabilities cannot be disabled but the user even if they identify that their phones were off and I think that's the important part here the question is if the the essential phone is specific to sprint no it's not specific no no and again the reason that we have some of the phones are tired tired carriers is because we wanted to show that basically that's not not a specific carrier problem or specifically I am problem but is pervasive problem across multiple carriers and the industry needs to be looking at that as a whole rather than you know specific carriers so this is the the answer to that no and the reason is because this type of we we looked at over 500 firmware we didn't have this is the first initial preliminary I would say presentation for the study we do believe that there are other one not believe it so if you don't see a phone here it doesn't mean that we looked at it and it's not vulnerable we had limited the amount of time and and remember that all of these devices were disclosed 60 days so between the six days prior and now we have more devices identified which we cannot disclose here but they're still vulnerable I've been here a question yeah we weren't aware of that at the time but thanks for letting us know happen not only to the OEMs guys the disclose will happen to the carrier's themselves so it's not that we tried very hard to reach out to these possible parties here this these final spots ahead of our presentation so basically we don't put people in harm's way and most of the vulnerabilities somehow being either addressed or there's a fix repair some of them are not but this completely up to the OEMs and the carriers to that I mean I've got a kind of a history with Samsung I mean they've given me you know bug bounty free phone represented at blackhat Asia 2015 for them so sometimes it is that we are in the process of looking into more devices some of them might be vulnerable some others are not we cannot disclose anything today more than what we disclose because we are in the 60 to 90 days disclosure process that we have established with the elves I don't know if we can we can't speak for Google yeah I think address the question director I think I think they're trying hard to help with ecosystem security but I mean we cannot ask if there are more about no more questions thank you very much [Applause]
Feedback