evil maid on droids
play

evil maid on droids or why you should never loose your android - PowerPoint PPT Presentation

Jan 17, 2024 •444 likes •1.31k views

evil maid on droids or why you should never loose your android smartphone @f0rki 2012-12-06 Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 2 / 51 Agenda

  1. evil maid on droids or why you should never loose your android smartphone @f0rki 2012-12-06

  2. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 2 / 51

  3. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 3 / 51

  4. evil maids wat? 4 / 51

  5. evil maids wat? 1. device left at hotel room 4 / 51

  6. evil maids wat? 1. device left at hotel room 2. maid comes in 4 / 51

  7. evil maids wat? 1. device left at hotel room 2. maid comes in 3. maid installs malware, fetches data, etc. 4 / 51

  8. evil maids wat? 1. device left at hotel room 2. maid comes in 3. maid installs malware, fetches data, etc. 4. ??? 4 / 51

  9. evil maids wat? 1. device left at hotel room 2. maid comes in 3. maid installs malware, fetches data, etc. 4. ??? 5. PROFIT!!! 4 / 51

  10. targets � laptop is classic target � full disk encryption as mitigation 5 / 51

  11. targets � laptop is classic target � full disk encryption as mitigation � modify unencrypted bootloader/kernel 5 / 51

  12. targets � laptop is classic target � full disk encryption as mitigation � modify unencrypted bootloader/kernel � secure boot as mitigation � EFI SecureBoot on x86 PCs/Notebook � Reduced access on embedded devices 5 / 51

  13. a new victim arises 6 / 51

  14. a new victim arises picture: thx sofie <3 6 / 51

  16. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 8 / 51

  17. partition layout � /system : OS binaries and config, android, framework � /data : user-installed apps, all user data � boot: kernel, fs root / � recovery : recovery system � cache : dalvik cache, other cached data � /sdcard /mnt/storage : music, videos, whatever . . . Actual layout depends on device 9 / 51

  18. android boot process for HTC/Qualcomm devices: 1. baseband processor starts primary boot loader (PBL) 10 / 51

  19. android boot process for HTC/Qualcomm devices: 1. baseband processor starts primary boot loader (PBL) 2. PBL starts secondary boot loader (SBL) 10 / 51

  20. android boot process for HTC/Qualcomm devices: 1. baseband processor starts primary boot loader (PBL) 2. PBL starts secondary boot loader (SBL) 3. app processor bootup – HBOOT bootloader 10 / 51

  21. android boot process for HTC/Qualcomm devices: 1. baseband processor starts primary boot loader (PBL) 2. PBL starts secondary boot loader (SBL) 3. app processor bootup – HBOOT bootloader 4. HBOOT loads kernel/recovery 10 / 51

  22. security? – locked bootloaders for HTC/Qualcomm devices: 1. baseband processor starts primary boot loader (PBL) verifies signature of sbl 2. PBL starts secondary boot loader (SBL) verifies baseband code and HBOOT 3. app processor bootup – HBOOT bootloader 4. HBOOT loads kernel/recovery verifies signature on kernel/recovery 11 / 51

  23. bootloader unlocking � disables signature checking/verification in boot process � allows booting of third-party code → yay, custom ROMS! 12 / 51

  24. bootloader unlocking � disables signature checking/verification in boot process � allows booting of third-party code → yay, custom ROMS! � bootloader unlocking � using fastboot tool f a s t b o o t oem unlock � usually does factory reset � erases /data/ � remove device settings (e.g. saved wifi passwords) � might need some proprietary tool or an exploit for unlocking 12 / 51

  25. HTC S-ON/S-OFF � system, kernel, recovery is hardware-write-protected � “temp root” – rooted phones will be unrooted at next boot � bootloader unlocking – S-OFF � submit device-specific token � flash signed blob � voids warranty � unpublished exploit: revolutionary 13 / 51

  26. fastboot and co � fastboot � “standard” protocol from AOSP � implemented in app processor bootloader (e.g. HBOOT) � can flash images to partitions � can directly boot kernels � other proprietary protocols/tools exist � nvflash for Tegra devices � old Motorola: SBF + miniloader � flash images via usb-exported-ramdisk (archos) � etc. . . 14 / 51

  27. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 15 / 51

  28. assumptions � device has set a PIN/password/pattern � else you are totally f**cked anyway � face-unlock also sucks � typical smartphone usage � google, facebook, twitter account set up � access to storage device not possible � because of encryption � hardware protection � attacker can’t solder ;) 16 / 51

  29. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 17 / 51

  30. prerequisites � stock ROM � no adb � no root 18 / 51

  31. pull sdcard 19 / 51

  32. pull sdcard how? � pull sdcard � dump everything 20 / 51

  33. pull sdcard how? � pull sdcard � dump everything what? � personal data (pictures, music) � apps2sd � e.g. /sdcard/Android/data/ � app backups � probably nothing really critical � company phone – company data??? 20 / 51

  34. what about nexus s? � there’s no sdcard! 21 / 51

  35. what about nexus s? � there’s no sdcard! � only internal storage � accessible via media transfer protocol (mtp) � access only when unlocked � restricted access to data 21 / 51

  36. smudge patterns I 22 / 51

  37. smudge patterns II 23 / 51

  38. old news. . . boring stuff. . . 24 / 51

  39. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 25 / 51

  40. prerequisites � phone used personally and for development � stock ROM � no root � adb enabled 26 / 51

  41. install malware � create and install malicious app pulling all possible data adb i n s t a l l com . example . AngryBirdsStarTrek . apk 27 / 51

  42. install malware � create and install malicious app pulling all possible data adb i n s t a l l com . example . AngryBirdsStarTrek . apk � still restricted access � give malware every possible android permission � still no access to most of /data/ � no system or systemOrSignature level permissions � pull � personal data � contacts/texts 27 / 51

  43. disabling keyguard via app 28 / 51

  44. disabling keyguard via app KeyguardManager keyguardManager = ( KeyguardManager ) getSystemService ( Context .KEYGUARD_SERVICE) ; KeyguardLock mkeyguardLock = keyguardManager . newKeyguardLock ( " unlock " ) ; mkeyguardLock . disableKeyguard () ; 28 / 51

  45. disabling keyguard via app KeyguardManager keyguardManager = ( KeyguardManager ) getSystemService ( Context .KEYGUARD_SERVICE) ; KeyguardLock mkeyguardLock = keyguardManager . newKeyguardLock ( " unlock " ) ; mkeyguardLock . disableKeyguard () ; � hitting back/home button might enable keyguard again � depending on the device and the rom � might also get you to launcher activity (=win!) 28 / 51

  46. disabling keyguard via app KeyguardManager keyguardManager = ( KeyguardManager ) getSystemService ( Context .KEYGUARD_SERVICE) ; KeyguardLock mkeyguardLock = keyguardManager . newKeyguardLock ( " unlock " ) ; mkeyguardLock . disableKeyguard () ; � hitting back/home button might enable keyguard again � depending on the device and the rom � might also get you to launcher activity (=win!) � solution: launch other activities/intents via our malicious app so no problem ;) 28 / 51

  47. intercepting login credentials 1. install custom ca cert 2. set proxy in network settings 3. launch intercepting proxy 4. grab stuff � google auth token � facebook token, password � etc. 29 / 51

  48. intercepting login credentials 1. install custom ca cert 2. set proxy in network settings 3. launch intercepting proxy 4. grab stuff � google auth token � facebook token, password � etc. � no cert errors, since we installed a trusted CA cert � unfortunately not everything uses system proxy � gapps, facebook work fine 29 / 51

  49. grabbing google auth token using the mitmproxy tool 30 / 51

  51. google backups � so we have the google auth token 32 / 51

  52. google backups � so we have the google auth token 32 / 51

  53. google backups � so we have the google auth token � adding auth token to rooted phone → provides access to everything backed up to google (in plaintext) 32 / 51

  54. so still no root. . . 33 / 51

  55. so still no root. . . � well. . . 33 / 51

  56. so still no root. . . � well. . . get root! � root via adb restore by Bin4ry (for Android 4.0 and 4.1) � mempodroid � ZergRush � Gingerbreak � . . . 33 / 51

  57. Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 34 / 51

  58. prerequisites � rooted phone � custom ROM, recovery � adb access 35 / 51

  59. well. . . . . . you are totally screwed! 36 / 51

  60. well. . . . . . you are totally screwed! 36 / 51

  61. the attack adb p u l l / data / data / adb p u l l / system / data / 37 / 51

Recommend

Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy

Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy

Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy Bulygin (@c7zero) CanSecWest 2013 Outline 1 UEFI BIOS Outline 1 UEFI BIOS 2 Measured/Trusted Boot Outline 1 UEFI BIOS 2 Measured/Trusted Boot 3 The

906 views • 90 slides
Even-Darker Art of Rails Engines @lazyatom github.com/lazyatom/engines Rails 2.3 history

Even-Darker Art of Rails Engines @lazyatom github.com/lazyatom/engines Rails 2.3 history

The Even-Darker Art of Rails Engines @lazyatom github.com/lazyatom/engines Rails 2.3 history November 2005 its distracting! reuse is overrated! Evil! Evil! Evil! Evil! Evil! Evil! Evil! Evil! Shit! eek! appable_plugins desert

972 views • 96 slides
Backdoors furtives et autres fourberies dans le noyau Arnaud Ebalard

Backdoors furtives et autres fourberies dans le noyau Arnaud Ebalard

Backdoors furtives et autres fourberies dans le noyau Arnaud Ebalard &lt;troglocan@droids-corp.org&gt; Pierre Lalet &lt;pierre@droids-corp.org&gt; Olivier Matz &lt;zer0@droids-corp.org&gt; Les 45 prochaines minutes ... Injection de code

836 views • 38 slides
DWDC Vancouver presents... MAID 101 Your presenter today is Connie Jorsvik , BSN, Independent

DWDC Vancouver presents... MAID 101 Your presenter today is Connie Jorsvik , BSN, Independent

DWDC Vancouver presents... MAID 101 Your presenter today is Connie Jorsvik , BSN, Independent Healthcare Navigator &amp; Patient Advocate. The DWDC Vancouver MAID 101 Team: Dr. Sue Hughson Alex Muir Darrell Mahoney Susan

584 views • 44 slides
The true form of evil rarely looks evil on the surface, it seduces us with fair face as it

The true form of evil rarely looks evil on the surface, it seduces us with fair face as it

Webinar: Abortion &amp; Conscientious Objection 2 July 2020 (Adv Keith Matthee SC) 1 As a nation we would be well advised to heed the words of Professor Forstchen in his review on the film Downfall, which exposes the evil of Adolf

490 views • 11 slides
Why MAID cases are different from a coordinator perspective Emily Evans Organ and Tissue

Why MAID cases are different from a coordinator perspective Emily Evans Organ and Tissue

Why MAID cases are different from a coordinator perspective Emily Evans Organ and Tissue Donation Coordinator Overview of Organ Donation Following MAID in Ontario 1 st physician confirmation of eligibility Notification to TGLN Consent for

798 views • 11 slides
Moral evil is a result of human action, whereas natural evil can only be blamed on God, if He

Moral evil is a result of human action, whereas natural evil can only be blamed on God, if He

Moral evil is a result of human action, whereas natural evil can only be blamed on God, if He even exists. Natural disasters and diseases seem at odds with a good and benevolent God. Try to remember, though, that God created this universe

462 views • 8 slides
Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by

Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by

Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by Appliances? appliance / pl ns/ Noun A device designed to perform a specific task, typically a domestic one. Digital Signage

1.04k views • 55 slides
DROIDS @z @zer er0m 0mem em #whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ] Background

DROIDS @z @zer er0m 0mem em #whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ] Background

Racing with DROIDS @z @zer er0m 0mem em #whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ] Background @K33nTeam Previously ~4 years in ESET Contact twitter : @zer0mem weibo : weibo.com/u/5238732594 blog :

673 views • 45 slides
THEODICY: The Problem of Evil .. Christian : Pastor Nathan Lewis Atheist : Bernie

THEODICY: The Problem of Evil .. Christian : Pastor Nathan Lewis Atheist : Bernie

THEODICY: The Problem of Evil .. Christian : Pastor Nathan Lewis Atheist : Bernie Dehler 4-22-12 What is the problem? (1 of 2) Q: If God is all-loving and all-powerful, why is there so much evil in the world? A: What evil are you

312 views • 15 slides
Unmasking Evil Revelation 13 Speaker: Gilbert van Bueren REVELATION 13 UNMASKING EVIL

Unmasking Evil Revelation 13 Speaker: Gilbert van Bueren REVELATION 13 UNMASKING EVIL

Revelation series nr.10: Unmasking Evil Revelation 13 Speaker: Gilbert van Bueren REVELATION 13 UNMASKING EVIL Series The Future has already Begun #10 IBC Eindhoven, 8 March 2020 UNMASKING THE DRAGON Revelation 12:9 and 20:2 1.

361 views • 14 slides
Dismantling droids for breakfast - The current state of app reverse engineering Siegfried

Dismantling droids for breakfast - The current state of app reverse engineering Siegfried

Dismantling droids for breakfast - The current state of app reverse engineering Siegfried Rasthofer SECURE SOFTWARE ENGINEERING GROUP #whoami 3rd year PhD-Student at Secure Software Engineering Group Darmstadt, Germany (Prof. Dr.

458 views • 22 slides
Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. https://www.isecpartners.com Agenda Android Security Model

725 views • 47 slides
Pion photo- and electroproduction and the chiral MAID interface Stefan Scherer Institute for

Pion photo- and electroproduction and the chiral MAID interface Stefan Scherer Institute for

Pion photo- and electroproduction and the chiral MAID interface Stefan Scherer Institute for Nuclear Physics, Johannes Gutenberg University Mainz Uppsala University, 20 May 2016 work in collaboration with 1 Marius Hilt, Bj orn C. Lehnhart,

689 views • 52 slides
Polished Droids: Bringing Android Apps to Chromebooks Maksim Lin Freelance Android Developer

Polished Droids: Bringing Android Apps to Chromebooks Maksim Lin Freelance Android Developer

Polished Droids: Bringing Android Apps to Chromebooks Maksim Lin Freelance Android Developer www.manichord.com Chromebooks ? Background Freelance Android and AOSP dev ~ 5 yrs Use and Chromebooks ~ 4yrs Wrote Git client Chrome

339 views • 31 slides
Parking Maid Overview and Objectives To design a smart parking robot that can detect empty

Parking Maid Overview and Objectives To design a smart parking robot that can detect empty

Parking Maid Overview and Objectives To design a smart parking robot that can detect empty parking space and park into the area automatically with FPGA control Functions that Robot can perform Move forward and backward Make

276 views • 9 slides
Natural Evil and the Mythology of J.R.R. Tolkien Keith B. Miller Department of Geology Kansas

Natural Evil and the Mythology of J.R.R. Tolkien Keith B. Miller Department of Geology Kansas

Natural Evil and the Mythology of J.R.R. Tolkien Keith B. Miller Department of Geology Kansas State University The Problem of Natural Evil and the Creative Imagination We must seriously engage the challenging theological questions that

756 views • 22 slides
Medical Assistance in Dying: Proposed Legislative Amendments (Bill 84) Stakeholder Presentation

Medical Assistance in Dying: Proposed Legislative Amendments (Bill 84) Stakeholder Presentation

Medical Assistance in Dying: Proposed Legislative Amendments (Bill 84) Stakeholder Presentation Ministry of Health and Long-Term Care December 9, 2016 MAID Overview Medical Assistance in Dying (MAID) is defined in recently enacted federal

283 views • 16 slides
DSCP and the Evil Bit Runa Barik (UiO), Michael Welzl (UiO), Ahmed Elmokashfi (SRL) maprg @96th

DSCP and the Evil Bit Runa Barik (UiO), Michael Welzl (UiO), Ahmed Elmokashfi (SRL) maprg @96th

DSCP and the Evil Bit Runa Barik (UiO), Michael Welzl (UiO), Ahmed Elmokashfi (SRL) maprg @96th IETF Meeting Berlin, Germany 18 th July 2015 IETF96 DSCP and the Evil Bit 1 / 14 Motivation The Internet could ideally use the IP header for

149 views • 14 slides
Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web Applications Web Application &lt;SCRIPT&gt;...&lt;/SCRIPT&gt; Attackers evil script executed using victims credentials Omer Tripp Marco

410 views • 6 slides
Wisdom Discerning between Good and Evil Goal scripture: Hebrews 5:11-14 Wisdom Discerning

Wisdom Discerning between Good and Evil Goal scripture: Hebrews 5:11-14 Wisdom Discerning

Wisdom Discerning between Good and Evil Goal scripture: Hebrews 5:11-14 Wisdom Discerning between Good and Evil My Focus Today New Series: Books of Wisdom Talk a little about what wisdom is Job Present Teaching Points Psalms on 2

484 views • 29 slides
A Poisonous Mouth

A Poisonous Mouth

A Poisonous Mouth Poisonous Mouth Deliver me, O Lord, from evil men; preserve me from violent men, who plan evil things in their heart and stir up wars continually. They

415 views • 15 slides
Thursday. Shafiq Woon Abdullah admitted in a Singapore court that the physically abused

Thursday. Shafiq Woon Abdullah admitted in a Singapore court that the physically abused

Contoh : Man Jailed for Striking RI Maid SINGAPORE A man was jailed for two months for repeatedly striking his Indonesian maid, news reports said on Thursday. Shafiq Woon Abdullah admitted in a Singapore court that the physically abused

404 views • 7 slides
Passage of Bill 84, Medical Assistance in Dying Statute Law Amendment Act, 2017 Webinar Technical

Passage of Bill 84, Medical Assistance in Dying Statute Law Amendment Act, 2017 Webinar Technical

Passage of Bill 84, Medical Assistance in Dying Statute Law Amendment Act, 2017 Webinar Technical Briefing Ministry of Health and Long-Term Care May 16, 2017 MAID Overview Medical Assistance in Dying (MAID) is defined in federal

679 views • 25 slides

More recommend