Getting a Shell on any Android Device

USB

If you’re an Evil Customs Agent or other nefarious Three Letter Agency Person, you’re probably very interesting in getting data off people’s phones. Even if the screen is locked, there’s a way around this problem: just use the Android Debug Bridge (ADB), a handy way to get a shell on any Android device with just a USB cable. The ADB can be turned off, though, so what is the Stasi to do if they can’t access your phone over ADB? [Michael Ossmann] and [Kyle Osborn] have the answer that involves a little-known property of USB devices.

USB mini and micro plugs have five pins – power, ground, D+, D-, and an oft-overlooked ID pin. With a particular resistance between this ID pin and ground, the USB multiplexor inside your phone can allow anyone with the proper hardware to access the state of the charger, get an audio signal, mess around with the MP3s on your device, or even get a shell.

To test their theory, [Michael] and [Kyle] rigged up a simple USB plug to UART adapter (seen above) that included a specific value of resistor to enable a shell on their test phone. Amazingly, it worked and the thought of having a secure phone was never had again.

The guys went farther with some proprietary Samsung hardware that could, if they had the service manual, unlock any samsung phone made in the last 15 years. They’re working on building a device that will automagically get a shell on any phone and have built some rather interesting hardware. If you’re interested in helping them out with their project, they have a project site up with all the information to get up to speed on this very ingenious hack.

Comments

  1. matt says:

    The article title is definitely misleading, and it seems as if Brian didnt read the paper at all. This isnt applicable to ANY android device, only those which use multiplexers ICs on the USB port, and only if they are designed to explicitly allow this. The hack here tested only the Nexus and was able to get to a debugger which had access to an unprivileged shell. I havent played with android much, but if you rooted your device couldnt you just ‘chmod -x adb’ to fix this issue?

    • matt says:

      Also this isnt applicable to just any Nexus either, from the paper:

      “The Galaxy Nexus was running CyanogenMod [10]. Subsequent tests of
      devices of the same model running different operating systems yielded
      different results. We were unable to gain access to the FIQ debugger on
      a unit with an operating system provided by Verizon. On a unit with an
      operating system provided by Sprint, we were able to access the FIQ
      debugger, but the console command was missing or disabled.”

      So basically if you rooted your device, and installed a poorly configured community ROM you have a security issue, if you use the default install your ok. God damn this post was alarmist.

    • mossmann says:

      I agree that the article would be much improved by the deletion of the letter “y” from “any” in the title.

      Don’t trust chmod to save you from this type of vulnerability. There are many ways that an attacker may be able to elevate privilege given something as complex as a shell.

      What I hope people get out of this work is not: “Hey, these guys can get a shell on some phones!” but is instead: “Wow, there are huge, unexplored attack surfaces accessible through multiplexed wired interfaces on all sorts of devices.”

    • fartface says:

      Give the Cyanogenmod guys 20 minutes to fix this hole.

    • thoriumbr says:

      No, this *exact* hack may not be available to every Android device, but this kind of hack is. I can say that every smartphone around have a multiplexer chip installed, or they would not be that smart.
      So even if the used resistance may not work on Motorola phones, another one surely will. If they have access to the support manual for all makers (and there’s just a few), they will be able to attack every and all Android phones out there.
      And I bet NSA have that manuals, don’t you think?

    • SpaceLifeForm says:

      chmod -x will not necessarily fix the problem. Most roms have the adbd
      (android debug bridge daemon) loaded in ram after boot. It is tied to init.
      So, even if you chmod -x adbd, rebooting the device will bring it back to
      it’s normal state.

  2. Error_user_unknown says:

    time to dremmel off that pin thx Had for the heads up.

  3. blodgar says:

    That’s why I have a dumb-phone…

  4. Me says:

    This is very well known since years. There are even resistor tables available. Google for USB-JIG for instance.

  5. Matt says:

    Lets see…

    1. Maintain physical security of the device
    2. Don’t trust unknown media/cords

    It’s an interesting attack vector, but the mitigation strategies are at least a decade old.

  6. You can do this with a Parallax Propeller, but ADB must be on.

    http://obex.parallax.com/object/116

  7. ejonesss says:

    ok then to secure the device just short the id pin to ground so nothing will work

  8. StinkySteve says:

    Poorly written article that is hard to follow and totally misleading. Typos and words being mixed up making it unclear if you do or don’t need adb enabled. Boo for this poorly written piece of shite.

    • spider says:

      Just because you dont understand what is being done doesnt mean it is poorly written. It dumb it down for you, abd is disabled on the phone you gain a shell to the phone through the usb port once you have shell access it is just a matter of changing a single value in the phones database in order to enable adb, once adb has been enabled you then use thay access to push programs down to the phone…

      • StinkySteve says:

        It’s adb, not abd. But it’s okay, commenters don’t have to get it right every time. I expect more from the authors of HaD though.

        I understand how it works by reading the original article. I can’t understand the author because his writing is full of typos, missing words etc. Perhaps you’d be better off reading the original article to understand how misleading Brians writeup is.

        • spider says:

          Granted i didnt read the article but i did watch the talk. The talk was very easy to follow imo and after watching the talk and reading the write up it isnt actually that missleading. Maybe brian just watched the talk and didnt read the article :/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,586 other followers