SLIDE 1
Ardui-no pown Android
- A. Cervoise
antoine.cervoise@gmail.com July 6, 2016
RMLL Sec 2016 1 / 33
Summary
Powning Android Arduino Enable mode debug Install APK Conclusion
RMLL Sec 2016 2 / 33
Ardui-no pown Android A. Cervoise antoine.cervoise@gmail.com July - - PowerPoint PPT Presentation
Ardui-no pown Android A. Cervoise antoine.cervoise@gmail.com July - - PowerPoint PPT Presentation
Ardui-no pown Android A. Cervoise antoine.cervoise@gmail.com July 6, 2016 RMLL Sec 2016 1 / 33 Summary Powning Android Arduino Enable mode debug Install APK Conclusion RMLL Sec 2016 2 / 33 Attacks against Android Interesting here
SLIDE 2
SLIDE 3
Attacks against Android
Interesting here
◮ Attack through debug mode ◮ Installing APK
Not interesting here
◮ Access through ClockworkMod ◮ Reading the RAM
RMLL Sec 2016 3 / 33
SLIDE 4
Debug Mode Attack
Root the phone adb pull /data/system/gesture.key ./gesture.key adb pull /data/system/password.key ./password.key adb pull /data/data/com.android.providers.settings/ databases/settings.db ./settings.db adb pull /dbdata/databases/com.android.providers.settings /settings.db ./settings.db Extract gesture hash (not salt) or password/pin hash and salt Then john
RMLL Sec 2016 4 / 33
SLIDE 5
About Android Debug Mode
Debug mode enable
◮ Before Android 4.2.2 : Allow debug mode ◮ Android 4.2.2-4.4.2 : Debug mode need validation (Secure
USB), can be bypassed
◮ Since Android 4.4.3 : Secure USB debug mode
RMLL Sec 2016 5 / 33
SLIDE 6
About Android Debug Mode
USB confirmation dialog on the emergency dialer (when phone is locked)
https://labs.mwrinfosecurity.com/advisories/android-4-4-2-secure-usb-debugging-bypass/ RMLL Sec 2016 6 / 33
SLIDE 7
About Android Debug Mode
Samsung B7510 enable debug mode each time USB is plugged
RMLL Sec 2016 7 / 33
SLIDE 8
About installing apk
◮ On Play Store: is ”audited” by Google ◮ Directly with the APK: need to allow unknown sources
RMLL Sec 2016 8 / 33
SLIDE 9
Summary
Powning Android Arduino Enable mode debug Install APK Conclusion
RMLL Sec 2016 9 / 33
SLIDE 10
Arduino
Emulate keyboard
◮ https://github.com/samratashok/Kautilya ◮ https://github.com/offensive-security/hid-backdoor-peensy
RMLL Sec 2016 10 / 33
SLIDE 11
Summary
Powning Android Arduino Enable mode debug Install APK Conclusion
RMLL Sec 2016 11 / 33
SLIDE 12
Open settings
Samsung Galaxy S6 Android 5.1.1 Polaroid PROS08BPR001 Unknown Android Sony Xperia Z1 Compact Android 5.1.1
RMLL Sec 2016 12 / 33
SLIDE 13
Open settings
RMLL Sec 2016 13 / 33
SLIDE 14
About phone
RMLL Sec 2016 14 / 33
SLIDE 15
Activate developper mode
RMLL Sec 2016 15 / 33
SLIDE 16
Developper mode
RMLL Sec 2016 16 / 33
SLIDE 17
Activate debug mode
RMLL Sec 2016 17 / 33
SLIDE 18
Debug mode warning
RMLL Sec 2016 18 / 33
SLIDE 19
MDM
RMLL Sec 2016 19 / 33
SLIDE 20
Summary
Powning Android Arduino Enable mode debug Install APK Conclusion
RMLL Sec 2016 20 / 33
SLIDE 21
URL
https://docs.google.com/uc?id=[...]&export=download
RMLL Sec 2016 21 / 33
SLIDE 22
Choose browser
RMLL Sec 2016 22 / 33
SLIDE 23
Open file application
RMLL Sec 2016 23 / 33
SLIDE 24
Open file application
RMLL Sec 2016 24 / 33
SLIDE 25
File application
RMLL Sec 2016 25 / 33
SLIDE 26
Find your apk
RMLL Sec 2016 26 / 33
SLIDE 27
Try to install it
RMLL Sec 2016 27 / 33
SLIDE 28
Activate unknown sources
RMLL Sec 2016 28 / 33
SLIDE 29
Last warning
RMLL Sec 2016 29 / 33
SLIDE 30
Summary
Powning Android Arduino Enable mode debug Install APK Conclusion
RMLL Sec 2016 30 / 33
SLIDE 31
Conlusion
Faster
◮ For some specific task (get the URL) ◮ Or if you really know the target
RMLL Sec 2016 31 / 33
SLIDE 32
Conlusion
For other kind of attacks
◮ Fuzz Android ◮ Bruteforce PIN Code, password, pattern
https://github.com/cervoise/Hardware-Bruteforce- Framework-2
RMLL Sec 2016 32 / 33
SLIDE 33
Questions?
RMLL Sec 2016 33 / 33