evil maid on droids
play

evil maid on droids or why you should never loose your android - PowerPoint PPT Presentation

Jan 17, 2024 •444 likes •1.31k views

evil maid on droids or why you should never loose your android smartphone @f0rki 2012-12-06 Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 2 / 51 Agenda

  1. evil maid on droids or why you should never loose your android smartphone @f0rki 2012-12-06

  2. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 2 / 51

  3. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 3 / 51

  4. evil maids wat? 4 / 51

  5. evil maids wat? 1. device left at hotel room 4 / 51

  6. evil maids wat? 1. device left at hotel room 2. maid comes in 4 / 51

  7. evil maids wat? 1. device left at hotel room 2. maid comes in 3. maid installs malware, fetches data, etc. 4 / 51

  8. evil maids wat? 1. device left at hotel room 2. maid comes in 3. maid installs malware, fetches data, etc. 4. ??? 4 / 51

  9. evil maids wat? 1. device left at hotel room 2. maid comes in 3. maid installs malware, fetches data, etc. 4. ??? 5. PROFIT!!! 4 / 51

  10. targets � laptop is classic target � full disk encryption as mitigation 5 / 51

  11. targets � laptop is classic target � full disk encryption as mitigation � modify unencrypted bootloader/kernel 5 / 51

  12. targets � laptop is classic target � full disk encryption as mitigation � modify unencrypted bootloader/kernel � secure boot as mitigation � EFI SecureBoot on x86 PCs/Notebook � Reduced access on embedded devices 5 / 51

  13. a new victim arises 6 / 51

  14. a new victim arises picture: thx sofie <3 6 / 51

  16. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 8 / 51

  17. partition layout � /system : OS binaries and config, android, framework � /data : user-installed apps, all user data � boot: kernel, fs root / � recovery : recovery system � cache : dalvik cache, other cached data � /sdcard /mnt/storage : music, videos, whatever . . . Actual layout depends on device 9 / 51

  18. android boot process for HTC/Qualcomm devices: 1. baseband processor starts primary boot loader (PBL) 10 / 51

  19. android boot process for HTC/Qualcomm devices: 1. baseband processor starts primary boot loader (PBL) 2. PBL starts secondary boot loader (SBL) 10 / 51

  20. android boot process for HTC/Qualcomm devices: 1. baseband processor starts primary boot loader (PBL) 2. PBL starts secondary boot loader (SBL) 3. app processor bootup – HBOOT bootloader 10 / 51

  21. android boot process for HTC/Qualcomm devices: 1. baseband processor starts primary boot loader (PBL) 2. PBL starts secondary boot loader (SBL) 3. app processor bootup – HBOOT bootloader 4. HBOOT loads kernel/recovery 10 / 51

  22. security? – locked bootloaders for HTC/Qualcomm devices: 1. baseband processor starts primary boot loader (PBL) verifies signature of sbl 2. PBL starts secondary boot loader (SBL) verifies baseband code and HBOOT 3. app processor bootup – HBOOT bootloader 4. HBOOT loads kernel/recovery verifies signature on kernel/recovery 11 / 51

  23. bootloader unlocking � disables signature checking/verification in boot process � allows booting of third-party code → yay, custom ROMS! 12 / 51

  24. bootloader unlocking � disables signature checking/verification in boot process � allows booting of third-party code → yay, custom ROMS! � bootloader unlocking � using fastboot tool f a s t b o o t oem unlock � usually does factory reset � erases /data/ � remove device settings (e.g. saved wifi passwords) � might need some proprietary tool or an exploit for unlocking 12 / 51

  25. HTC S-ON/S-OFF � system, kernel, recovery is hardware-write-protected � “temp root” – rooted phones will be unrooted at next boot � bootloader unlocking – S-OFF � submit device-specific token � flash signed blob � voids warranty � unpublished exploit: revolutionary 13 / 51

  26. fastboot and co � fastboot � “standard” protocol from AOSP � implemented in app processor bootloader (e.g. HBOOT) � can flash images to partitions � can directly boot kernels � other proprietary protocols/tools exist � nvflash for Tegra devices � old Motorola: SBF + miniloader � flash images via usb-exported-ramdisk (archos) � etc. . . 14 / 51

  27. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 15 / 51

  28. assumptions � device has set a PIN/password/pattern � else you are totally f**cked anyway � face-unlock also sucks � typical smartphone usage � google, facebook, twitter account set up � access to storage device not possible � because of encryption � hardware protection � attacker can’t solder ;) 16 / 51

  29. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 17 / 51

  30. prerequisites � stock ROM � no adb � no root 18 / 51

  31. pull sdcard 19 / 51

  32. pull sdcard how? � pull sdcard � dump everything 20 / 51

  33. pull sdcard how? � pull sdcard � dump everything what? � personal data (pictures, music) � apps2sd � e.g. /sdcard/Android/data/ � app backups � probably nothing really critical � company phone – company data??? 20 / 51

  34. what about nexus s? � there’s no sdcard! 21 / 51

  35. what about nexus s? � there’s no sdcard! � only internal storage � accessible via media transfer protocol (mtp) � access only when unlocked � restricted access to data 21 / 51

  36. smudge patterns I 22 / 51

  37. smudge patterns II 23 / 51

  38. old news. . . boring stuff. . . 24 / 51

  39. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 25 / 51

  40. prerequisites � phone used personally and for development � stock ROM � no root � adb enabled 26 / 51

  41. install malware � create and install malicious app pulling all possible data adb i n s t a l l com . example . AngryBirdsStarTrek . apk 27 / 51

  42. install malware � create and install malicious app pulling all possible data adb i n s t a l l com . example . AngryBirdsStarTrek . apk � still restricted access � give malware every possible android permission � still no access to most of /data/ � no system or systemOrSignature level permissions � pull � personal data � contacts/texts 27 / 51

  43. disabling keyguard via app 28 / 51

  44. disabling keyguard via app KeyguardManager keyguardManager = ( KeyguardManager ) getSystemService ( Context .KEYGUARD_SERVICE) ; KeyguardLock mkeyguardLock = keyguardManager . newKeyguardLock ( " unlock " ) ; mkeyguardLock . disableKeyguard () ; 28 / 51

  45. disabling keyguard via app KeyguardManager keyguardManager = ( KeyguardManager ) getSystemService ( Context .KEYGUARD_SERVICE) ; KeyguardLock mkeyguardLock = keyguardManager . newKeyguardLock ( " unlock " ) ; mkeyguardLock . disableKeyguard () ; � hitting back/home button might enable keyguard again � depending on the device and the rom � might also get you to launcher activity (=win!) 28 / 51

  46. disabling keyguard via app KeyguardManager keyguardManager = ( KeyguardManager ) getSystemService ( Context .KEYGUARD_SERVICE) ; KeyguardLock mkeyguardLock = keyguardManager . newKeyguardLock ( " unlock " ) ; mkeyguardLock . disableKeyguard () ; � hitting back/home button might enable keyguard again � depending on the device and the rom � might also get you to launcher activity (=win!) � solution: launch other activities/intents via our malicious app so no problem ;) 28 / 51

  47. intercepting login credentials 1. install custom ca cert 2. set proxy in network settings 3. launch intercepting proxy 4. grab stuff � google auth token � facebook token, password � etc. 29 / 51

  48. intercepting login credentials 1. install custom ca cert 2. set proxy in network settings 3. launch intercepting proxy 4. grab stuff � google auth token � facebook token, password � etc. � no cert errors, since we installed a trusted CA cert � unfortunately not everything uses system proxy � gapps, facebook work fine 29 / 51

  49. grabbing google auth token using the mitmproxy tool 30 / 51

  51. google backups � so we have the google auth token 32 / 51

  52. google backups � so we have the google auth token 32 / 51

  53. google backups � so we have the google auth token � adding auth token to rooted phone → provides access to everything backed up to google (in plaintext) 32 / 51

  54. so still no root. . . 33 / 51

  55. so still no root. . . � well. . . 33 / 51

  56. so still no root. . . � well. . . get root! � root via adb restore by Bin4ry (for Android 4.0 and 4.1) � mempodroid � ZergRush � Gingerbreak � . . . 33 / 51

  57. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 34 / 51

  58. prerequisites � rooted phone � custom ROM, recovery � adb access 35 / 51

  59. well. . . . . . you are totally screwed! 36 / 51

  60. well. . . . . . you are totally screwed! 36 / 51

  61. the attack adb p u l l / data / data / adb p u l l / system / data / 37 / 51

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy

Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy

Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy Bulygin (@c7zero) CanSecWest 2013 Outline 1 UEFI BIOS Outline 1 UEFI BIOS 2 Measured/Trusted Boot Outline 1 UEFI BIOS 2 Measured/Trusted Boot 3 The

906 views • 90 slides
Even-Darker Art of Rails Engines @lazyatom github.com/lazyatom/engines Rails 2.3 history

Even-Darker Art of Rails Engines @lazyatom github.com/lazyatom/engines Rails 2.3 history

The Even-Darker Art of Rails Engines @lazyatom github.com/lazyatom/engines Rails 2.3 history November 2005 its distracting! reuse is overrated! Evil! Evil! Evil! Evil! Evil! Evil! Evil! Evil! Shit! eek! appable_plugins desert

972 views • 96 slides
Backdoors furtives et autres fourberies dans le noyau Arnaud Ebalard

Backdoors furtives et autres fourberies dans le noyau Arnaud Ebalard

Backdoors furtives et autres fourberies dans le noyau Arnaud Ebalard &lt;troglocan@droids-corp.org&gt; Pierre Lalet &lt;pierre@droids-corp.org&gt; Olivier Matz &lt;zer0@droids-corp.org&gt; Les 45 prochaines minutes ... Injection de code

836 views • 38 slides
DWDC Vancouver presents... MAID 101 Your presenter today is Connie Jorsvik , BSN, Independent

DWDC Vancouver presents... MAID 101 Your presenter today is Connie Jorsvik , BSN, Independent

DWDC Vancouver presents... MAID 101 Your presenter today is Connie Jorsvik , BSN, Independent Healthcare Navigator &amp; Patient Advocate. The DWDC Vancouver MAID 101 Team: Dr. Sue Hughson Alex Muir Darrell Mahoney Susan

584 views • 44 slides
The true form of evil rarely looks evil on the surface, it seduces us with fair face as it

The true form of evil rarely looks evil on the surface, it seduces us with fair face as it

Webinar: Abortion &amp; Conscientious Objection 2 July 2020 (Adv Keith Matthee SC) 1 As a nation we would be well advised to heed the words of Professor Forstchen in his review on the film Downfall, which exposes the evil of Adolf

490 views • 11 slides
Why MAID cases are different from a coordinator perspective Emily Evans Organ and Tissue

Why MAID cases are different from a coordinator perspective Emily Evans Organ and Tissue

Why MAID cases are different from a coordinator perspective Emily Evans Organ and Tissue Donation Coordinator Overview of Organ Donation Following MAID in Ontario 1 st physician confirmation of eligibility Notification to TGLN Consent for

798 views • 11 slides
Moral evil is a result of human action, whereas natural evil can only be blamed on God, if He

Moral evil is a result of human action, whereas natural evil can only be blamed on God, if He

Moral evil is a result of human action, whereas natural evil can only be blamed on God, if He even exists. Natural disasters and diseases seem at odds with a good and benevolent God. Try to remember, though, that God created this universe

462 views • 8 slides
Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by

Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by

Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by Appliances? appliance / pl ns/ Noun A device designed to perform a specific task, typically a domestic one. Digital Signage

1.04k views • 55 slides
DROIDS @z @zer er0m 0mem em #whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ] Background

DROIDS @z @zer er0m 0mem em #whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ] Background

Racing with DROIDS @z @zer er0m 0mem em #whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ] Background @K33nTeam Previously ~4 years in ESET Contact twitter : @zer0mem weibo : weibo.com/u/5238732594 blog :

673 views • 45 slides
THEODICY: The Problem of Evil .. Christian : Pastor Nathan Lewis Atheist : Bernie

THEODICY: The Problem of Evil .. Christian : Pastor Nathan Lewis Atheist : Bernie

THEODICY: The Problem of Evil .. Christian : Pastor Nathan Lewis Atheist : Bernie Dehler 4-22-12 What is the problem? (1 of 2) Q: If God is all-loving and all-powerful, why is there so much evil in the world? A: What evil are you

312 views • 15 slides
Unmasking Evil Revelation 13 Speaker: Gilbert van Bueren REVELATION 13 UNMASKING EVIL

Unmasking Evil Revelation 13 Speaker: Gilbert van Bueren REVELATION 13 UNMASKING EVIL

Revelation series nr.10: Unmasking Evil Revelation 13 Speaker: Gilbert van Bueren REVELATION 13 UNMASKING EVIL Series The Future has already Begun #10 IBC Eindhoven, 8 March 2020 UNMASKING THE DRAGON Revelation 12:9 and 20:2 1.

361 views • 14 slides
Dismantling droids for breakfast - The current state of app reverse engineering Siegfried

Dismantling droids for breakfast - The current state of app reverse engineering Siegfried

Dismantling droids for breakfast - The current state of app reverse engineering Siegfried Rasthofer SECURE SOFTWARE ENGINEERING GROUP #whoami 3rd year PhD-Student at Secure Software Engineering Group Darmstadt, Germany (Prof. Dr.

458 views • 22 slides
Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. https://www.isecpartners.com Agenda Android Security Model

725 views • 47 slides
Pion photo- and electroproduction and the chiral MAID interface Stefan Scherer Institute for

Pion photo- and electroproduction and the chiral MAID interface Stefan Scherer Institute for

Pion photo- and electroproduction and the chiral MAID interface Stefan Scherer Institute for Nuclear Physics, Johannes Gutenberg University Mainz Uppsala University, 20 May 2016 work in collaboration with 1 Marius Hilt, Bj orn C. Lehnhart,

689 views • 52 slides
Polished Droids: Bringing Android Apps to Chromebooks Maksim Lin Freelance Android Developer

Polished Droids: Bringing Android Apps to Chromebooks Maksim Lin Freelance Android Developer

Polished Droids: Bringing Android Apps to Chromebooks Maksim Lin Freelance Android Developer www.manichord.com Chromebooks ? Background Freelance Android and AOSP dev ~ 5 yrs Use and Chromebooks ~ 4yrs Wrote Git client Chrome

339 views • 31 slides
Parking Maid Overview and Objectives To design a smart parking robot that can detect empty

Parking Maid Overview and Objectives To design a smart parking robot that can detect empty

Parking Maid Overview and Objectives To design a smart parking robot that can detect empty parking space and park into the area automatically with FPGA control Functions that Robot can perform Move forward and backward Make

276 views • 9 slides
CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 09: Storage, Firmware, Bootloader,

CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 09: Storage, Firmware, Bootloader,

CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 09: Storage, Firmware, Bootloader, &amp; Systemd Rahmat M. Samik-Ibrahim (ed.) University of Indonesia https://os.vlsm.org/ Always check for the latest revision! REV254 27-Oct-2020

457 views • 30 slides
Section 15 Section 15 ADSP-BF533 Booting a 15-1 1 What is Booting? What is Booting?

Section 15 Section 15 ADSP-BF533 Booting a 15-1 1 What is Booting? What is Booting?

Section 15 Section 15 ADSP-BF533 Booting a 15-1 1 What is Booting? What is Booting? Booting is the process of loading application code, stored in an external memory device, into the various internal and external memories of the

505 views • 23 slides
Class Structure Last time: Fast Learning, Exploration/Exploitation Part 1 This Time: Fast

Class Structure Last time: Fast Learning, Exploration/Exploitation Part 1 This Time: Fast

Lecture 12: Fast Reinforcement Learning Part II 2 Emma Brunskill CS234 Reinforcement Learning. Winter 2018 2 With many slides from or derived from David Silver, Worked Examples New Lecture 12: Fast Reinforcement Learning Part II 3 Emma Brunskill

1.04k views • 70 slides
HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned

HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned

HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned into two categories: Security issues associated with the design Security issues associated with the system and application data once the

1.13k views • 25 slides
GRUB, ancient and modern GRUB Legacy Of course originally just GRUB Started in 1995 by

GRUB, ancient and modern GRUB Legacy Of course originally just GRUB Started in 1995 by

GRUB, ancient and modern GRUB Legacy Of course originally just GRUB Started in 1995 by Erich Boleyn Multiboot Editable menus, reasonable FS interface BALGE Multiboot https://xkcd.com/927/ GRUB Legacy: stages Stage 1: MBR,

398 views • 18 slides
Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS

Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS

Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS Jeff Chao (Jeffxx) Researcher at TrapaSecurity Ex-senior Researcher at TeamT5 Member of HITCON CTF Team Member of Chroot Focus on

1.35k views • 75 slides
Working with the RedPi Board Goals Boot the board and login. Serial console.

Working with the RedPi Board Goals Boot the board and login. Serial console.

Working with the RedPi Board Goals Boot the board and login. Serial console. Hooking up to a wired network (router). Other things you can do in/with Linux. Create a new logic design. From scratch. Using the EECS700

583 views • 34 slides
Hardware Root of Mistrust @sercurelyfitz, @r00tkillah whoami? Lectrical Nginear by education

Hardware Root of Mistrust @sercurelyfitz, @r00tkillah whoami? Lectrical Nginear by education

Hardware Root of Mistrust @sercurelyfitz, @r00tkillah whoami? Lectrical Nginear by education 10+ years of fun with hardware silicon debug security research pen testing of CPUs security training Applied

1.37k views • 95 slides

More recommend