BSidesSF 2026 - From pocket to Pwn: How we hacked a multinational Corp for $200 with... (Tim Shipp)

Uh for our final session in here we have Tim ship with from pocket to pone. How we hacked a multinational corp for $200 with what's in our pockets. What is in your pocket? I don't actually I don't want to know. I'm just going to hand over. You can tell us all. It's going to be great questions. You know the link. Let's do this. Thank you. Big round of applause please. >> Hey everybody. I'll start with the legal bit um just just because it's being recorded and just to make me feel better. Um, we do mention Bluetooth jamming in this in this talk. Bluetooth jamming is illegal. Um, we don't do it. We've never done it. Big wink. Um, and

you know, anything this anything that was discussed in this is, you know, based on lab research. You can find um videos on YouTube that people are do using exactly the same tools and you'll give you an idea of of how it would work if you were to uh um mock this up yourself. But uh we we put this bit in to keep everybody happy. A little bit about myself. So Tim Ship, I'm the CTO and co-founder of Threat. We're uh an agentic uh instant response platform. Um we do instant response XDR, all that fun stuff. I've been building leading IR teams for just over 20 20 years now. Done a few interesting a few interesting investigations over the

years. Also do some red teaming as well. Um, for my sins, I'm still a major in the British Armed Forces, cyber reserves. So, I get to go abroad. Um, do some interesting stuff. Um, just got back from Singapore actually. Um, do some do quite a lot of work with the US the US um, government as well. Worked in Asentia, Cyber Reason, Semantic, Airbus, Talis, few other less interesting places. Um, but yeah, so I've done about 200 IR investigations over the course of my career. So, I know a little about what we what we do. Bit of backstory for this particular talk cuz it goes off on a little bit of tangent. I I will go off on lots of

tangents. Even if you've heard this talk before, you never get the same one twice. Um, we do cover mobile phones. Clue is what's in your pocket. My history with Android goes back to 2007, which was a year before Android was released. I work for a little company called Matsushita Electric Company. Um, you probably know there was Panasonic. Um, and we were in the in the process of looking at what was going to be the next smartphone or what became a smartphone. So, we were looking at Windows phones um and and hacking those phones to try and get the Android ROMs that were available on the time at the time onto them so we could do some market research and try

and get out into the market before everybody else. So as a result of that um they released an Android phone. I was the first person outside of Japan to get that Android phone. Had hand delivered to me by two guys who' flown over from Japan especially. Um they went for coffee. They came back. I had Doom running on it. They weren't very happy about that. Uh I wasn't very happy because I couldn't get the touchcreen controls to work. So um by lunchtime we had we had Day of the Tentacle running on it with touchscreen fully playable. didn't go down particularly well. I got flown to Japan to explain how what I'd done to their flagship phone model and

how to stop anybody else doing it if they were to buy it. Uh, and that was how I got in security basically breaking breaking phones for Panasonic. So, the plot because we're on a musicalesque type theme. This whole concept came about because we had a customer that we were doing red teaming for. We'd done several red team engagements for them over the years. We'd done spear fishing. We'd done dead drops. We'd done sort of um you know um local approaches. We'd done smishing. Um and they were very very good. You know they you know if you were to drop a drop a binary on one of their endpoints, they were on it within about 10 minutes,

mitigated, done. So we tried to do something a little more interesting. Um we'd obviously visit visited them a few times. We knew they had um their own developers, but because of the type of business they were, they had um a development team for Android and mobile because they had a mobile application as well. So, we got permission to target the mobile applications and target the developers as a slightly offbase way of looking at how could we potentially get further access into this network. And interestingly because they were a relatively latest stage startup everybody used their own personal devices for MFA testing you know they didn't have company phones so I say the the the objective of the

pentest or the red teaming engagement rather um was to try to use sort of rather than use standard standard symmetrical boring testing was to do something a little bit outside of the box provide some extra value to the customer and just try and do something that they hadn't done before they hadn't seen before and was fun for us to be fair because there's only so many times you can run Cobalt Strike. So the decision was to do passive targeting of the developers. We weren't allowed to capture them in a van and interrogate them or anything fun like that. So it was just kind of you know just find out where they go to coffee, find out what time they what time they

leave, find that find their sort of you know their pattern of life and try and sort of devise a way of potentially compromising those users passively um using using what we had available in our pockets. So possible infection vectors we noticed the ped policy was pretty poor. um you know bring your own there was bring your own device was was rampant. Everybody used Bluetooth devices be it you know headsets, mice, keyboards. So there was there was various attack vectors if we could get into the building. Um but I had the idea of you know let's see if we can jam the Bluetooth connectivity to one of their devices. So a bit of a further backstory is they had

a comp a very good company car scheme where everybody was able to get electronic car um as part of their package. um rhymes with Tesla. Um they were all all pretty much all pretty much the same vehicle. It was yeah just a car park full of white Teslas basically. Um so we had the idea of let's see if we can do a denial of service on their on their vehicle on the Bluetooth masquerade as that Bluetooth and then compromise that device and then use that device for onward passage into that network. So use that device to actually gain access to the corporate environments you know to exploit for intelligence gathering lateral movement and just whatever else we were able to

get out of it. So this particular um EV manufacturer quite handily makes all of their um field man uh their sort of um manuals available online which you can see a really low resolution picture up there. Um, they put one Bluetooth module under the under the badge on the front of the vehicle and one Bluetooth module under the badge at the back of the vehicle. Um, and if you're able to jam those in a meaningful way and have another Bluetooth device close to the user, they can't connect to the vehicle, you masquerade to the as the vehicle and get them to connect to you. Uh, and the concept was we we tried we tried it with flippers, but we found

I don't know if you ever seen them before, card puters, 25 bucks, and it's basically a poor poor man's poor man's um flipper. Um, and if there was anything magnetic, they're fully magnetic. So, you can literally stick it stick it to a car. Um, it does what it needs to do and then when they drive off, it just falls off and you collect it. Um, yeah, highly recommend. So, the concept was with two of these little card computers, um you could buy an NR nrf24 um dongle, connect it via the um SIM port at the top. Uh those um and for for $95, you were you had a you you had two of these devices, one that was able to

block and one that was able to uh inject traffic. But we all we we used for the actual testing we used one of these one of these and a flipper. The flipper is because it does you can you can record a video nicely with it. It's got a nice user interface. Um and we already had one. Problems running payloads on Android. Um to be fair, Android does a pretty good job of of blocking um malicious payloads from 13 onwards. I think we're on 18 now. Uh it's very it's very hard to get an APK running on a on a on an Android device. Uh we did spend a lot of time and effort trying to get get it going.

We we were able to get it working, but even when it was running um it it would last about a minute before it killed any any outbound uh activity, which was less than useful if I'm honest. Um there's lot you'll see lots of stuff on the internet and you'll see lots of videos where people are h people are hacking using an Android um virtual machine and they'll usually be using Android 11 or Android 12 which is you know susceptible to all of this stuff. Um there's a there's various ADB, so Android debugging bridge. There's various um exploits that are available for that. But again, that involves you physically being able to connect into the device. Um which, you know, walking

up someone in the back, you know, in a coffee shop and plug it into their phone, it's you unlikely unlikely to go down well. So a recent addition to this. So originally we we were a able to get an APK running that would would deploy and would work on an Android 16 and um able to get us a remote metloit shell for long enough to do some good. Um but through another project we found that it's possible to become an an a proper official approved Android developer for the pricey sum of $25. And providing you've got 25 bucks an Android phone and a phone number, you can register as an Android developer. Um, and then you can build build an

Android application, wrap it in something like Capacitor or Flutter, which gives it the sort of the ability, you know, it's it's I used a I used a Minecraft portal as an example. You know, you've got that frame of what a good application looks like, and you've got, you know, a web-based application in the middle. you can replace that web application with whatever you want at any time once it's approved. Um, and you can sign someone once once you're a developer, you can sign beta testers up to your um, testing program and they don't know they've been signed up. Um, so if you can guess someone's Gmail for their developer account, um, all you need to do is get this send is

send them a URL that they need to click accept and then they can install your application via the app store. Um, once your application is approved, you don't even need to go through that process. It's on the app store. So, you could you could you could pay your 25 bucks, re register your mindfulness application that you can click on and, you know, say that I'm having a, you know, I've I've done my breathing for 5 minutes. Once that's approved, replace them, replace the guts in the middle to to a to an exploit, do what you need to do, put it back to the old application. Uh, didn't try that. probably against terms of service, but uh if you were if you were

more that way inclined, I'm sure people do.

So, the plan was USB rubber ducky over Bluetooth. Oldest oldest trick in the book. Um, it's been available since 2010, but say with the with the likes of computers and with the with the likes of Raspberry Pies and your flippers, you can you can do it over Bluetooth providing you that get that connectivity from that device.

So plan was connect one of these to the front of the front of the dashboard or front of the front of the machine, front of the uh the Tesla rather. User can't connect. User can't connect to their to their um device. They want to play Spotify on the way home from work. They try and connect. We masquerade as as that device. They connect to our flipper. We push a payload. We get metas-loit. Done or half done. And I do have a very brief demo which kind of shows that using the flipper purely because it's prettier.

So on the flipper we just enable that bad USB traffic or the module wait for the connection on the right hand side left hand side in your case. User connects it automatically and this is massively slowed down. This happens over like a second or two. As as soon as it connects to the the pesa, um, it automatically connects. It automatically downloads the payload, executes the payload. That's way slowed down.

That's there's no human interaction that that's just using the rubber ducky. And there we go. Metlo payload. still doing stuff.

So from that metas blow payload, we're able to do some enumeration. We're, you know, potentially unable to able to escalate privileges. Um, Android doesn't like outbound connectivity from an app. So after just short of 5 minutes, your app gets killed. So your metloit your match exploits uh um connectivity is gone within five minutes. So you've got five minutes to do whatever you want to do. That was less than optimal. So we tried to work out a way of of circumnavigating that and providing ongoing access. So that's the bit we already talked about. So it brought us back to ADB. So Android debugging bridge which is great. You plug it in over USB. It's what an

Android developer uses to deploy their tool. It's what they use to debug their tool. Um, you can also set it up to um work over Wi-Fi now, but you need to actually pair it with that device so that that user needs to put in a code, you need to accept that code, and it's great, but we didn't have that level of access to that user. Um, so we we we properly hacked a way of of getting it to work um without without having that user approval. So, as soon as we got on to that because because we only had those five minutes, as soon as we had access to that metloit set shell, we were able to um set SE Linux permissive

um and that allowed us to in install another um tool remotely effectively. Um so we we're able to we're able to start start Termox as a service and do a remote SSH shell back to a uh domain we controlled. So effectively we we had a metloit listener sat sat in AWS and we were able to use Termox via ADB to connect remotely back to us via a reverse encrypted tunnel um which effectively gave us remote ADB to that device until that device was rebooted. So, you know, if they were on if they were on their G on GSM or 3G, whatever country they're in, you know, we had full connectivity over their over their mobile provider

and once they connected to their um corporate environment, we had access to their corporate environment over Wi-Fi, which was nice and that was ultimately what we, you know, that ultimately the aim was to get that remote access. So from me sat in the back of a van or sat back at home with my remote access to that that AWS server, I I had full connectivity to that customer's environment for the whole time that guy was on on that device. There's a few interesting commands down the bottom there. Um they were just kind of that allow you to use ADB shell to like remove the screen lock. Um because that was becoming problematic because after a

couple of minutes the screen is shut down. um dismiss key guard so that the you didn't need to key in the uh the nine-digit password every time. Um and just completely disable the lock settings. And that was just literally just a shell script just to run soon as you got on the on the device. Disable all of that. If you wanted to go one step further in your little application that you could develop, you could just have a dummy dummy login. Um doesn't matter what the pin is, just so the user thinks they're logging back in again every time. Um we didn't go to that that extent but next time we might. Um interesting tools we were able to use

whilst we were on the device. Um so not only were we were able to use ADB, we're able to use a tool called I'm going to call it Scrappy. If anyone actually knows what it's called, um please please let me know. But effectively what it does is it allows you to give you it's effectively remote desktop for Android over our weird reverse shell. So we not only did we have not only did we have command line on that device, we had full access to remote shell. Uh the only downside with that is you couldn't access pin pin guard. So when you access pin guard on a mobile on an Android it blacks the screen. Nice security feature. Haven't

found a way around it yet. Anyone knows a way around about around it? I'd like to hear about it. Um because I say we do intend to do this uh this exploit again in the future. Obviously once we were on that endpoint uh or on that on on that device we had the reverse shell. We were able to use sock proxy. So we were able to use end mapap to enumerate the domain. We were able to use blood hound to enumerate the windows domain. Um you know we and we were able to literally use a developers um Android device to move laterally from from that device to the rest of the network. um and do on onward compromise

from there. And yeah, that wasn't expect we we we weren't expected to get as far as we did if we're perfectly honest. Lessons learned. It doesn't need to be clever or pretty to work. Um you know, this we said we said $200 $200. Realistically, it was $100. Um we've extended it to $125 now. Now that we have the uh the the oneoff payment to be to be a Android developer, Apple charging £99 $99 a year. Not tried it with Apple yet. That's that's next on the list, but it's yeah, $25 one-off payment and you're you're in. So, but and budget is not a blocker. Um like I said, this this is really really low lowhanging fruits. Not something that

many people have thought about. It's it's just an attack vector that's that's there for the taking if if you're sufficiently motivated. And to be honest, the you know the car side of things just to make it more interesting. There's there's various ways of doing this without going to that extreme. And yeah, if you're sufficiently motivated, there's there's there's always a way. And on that, I'll pass it over to questions.

Yes. >> Yes. Obviously. So when when we when we provided the the um the sort of recommendations of the report at the end of it um a PD policy um was was was at first and foremost had some form of monitoring. um they they did push their um what logging they did have available um to to their to their XDR and that was then monitored um and there there was an overhaul of um their protective monitoring and what they were doing from the XDR perspective because that mobile element wasn't wasn't wasn't on their risk register. They weren't they weren't was looking at for as an attack vector. Obviously you've got EDR on all your endpoints. those endpoints weren't

monitored. So that that was something they had to take from there. Anybody else? Yes. Mhm.

So, as soon as as soon as they connect to my my device, so be it this or be it my flipper, it's um the um rubber ducky. It's rubber rubber ducky over Bluetooth. So, it it literally it just runs it as a script. Nothing. As soon as you accept to pair, that's it. Done. Um and I say that video was massively slowed down. And it's it's literally it's it it's as it's as fast as it can move the cursor and it's yeah surprisingly effective. Gentleman at the back.

So in this particular instance so we we were using sock proxy and it was we were it was literally just a network device. So we were using sock proxy to pivot onto onto onto the Windows environment. Um, so we obviously there's no Windows credentials on those devices. Um, it was reuse of passwords. We were going into the user's device to look at sort of um look at their key manager and so on and so forth. But it was it was predominantly used for enumeration and sort of um scoping because we didn't have credentials on that device. But >> yes. >> Yep. Magnetic literally just on on on the on the front >> and it just it just falls off when when

you drive away or bit bit of string on it. Question in the back.

Yes, abs. Absolutely. If if if you're in if you're ingesting the data and you're ingesting that data into your seam, you know, this this would be seen as a as a pretty regular attack. The only abnormal bit is it it was it coming from a mobile phone, but I mean the the rest of it is there to is there to be seen. It's it's just because most people focus on having that first EDR alert, it didn't exist. So, so yes, I'm looking around for any more for anymore. Gentleman in the blue.

So in this instance, the user already had root because they were a developer and that was kind of the uh >> yeah so so we we deliberately targeted targeted them because they'd they already had root. Um yeah there are there are various ways to get root. Um but I mean in all honesty on sort of you know Android 15 16 onwards it's it's it's a lot of a lot of time and effort. So no but in this instance the the guy already had root because he was doing doing app development. There was another question over here. Yes.

So, this is actually the biggest one they do. So, they do a smaller one without a keyboard and they say they're about they're about 25 bucks. You install the the best firmware for them is Bruce. Um, but if you install the Bruce firmware on them, pretty much anything anything you can do with a flipper, you can do with this. Um, and like I said, it's it's got a massive I I've not I've not charged this in in two years. It's still got 85% battery. Um, it's got Lego bricks on the back, so you can you can add Lego. Um, but uh but it and it's got all all the all the breakout ports, everything. It's

it's it's a really incredible bit of kit. Um, yeah, highly highly recommend grabbing one. Also, gentleman here

I can't hear. I'm going to come closer.

We didn't go as far I got a mic now but we didn't go as far as um trying to escalate privileges in the environment. It it was their production environment um and the kind of work we did they do we couldn't we couldn't do too much offensive for fear of any downtime. So, it was passive red teaming, I suppose, is the the correct term. >> Sorry, I failed at my job. >> No, no, no, not this way. >> Do we have any other questions? >> Back back to >> I've got a portable mic. >> Yeah. Anyway, if you you're there, then you're on then you're on the stream as well. >> Okay, perfect. >> Can I have my mic back, please?

>> You may have your mic. >> Amazing. >> There are some questions. Well, yeah, there's a question and a comment. >> Okay. >> Um, Scrippy is screen copy apparently. >> Yes. >> Okay, we did that. Yeah, whilst I >> Yeah. Yeah. I didn't Yeah. I didn't know how I didn't know how to pronounce it, but yeah. >> Scrubby. Scruffy. It's whatever you want it to be. >> Scrubby. There we go. >> Scrap crappy. Um, no. Hang on. Uh, okay. And right to disable you, you are already root, right? >> In this instance. Yes. Yeah. So, there's a gentleman at the at the top asked that that because they were developers, they were they were already pretty much Yeah.

They were >> they were they were already Yeah. fully unlocked, >> honed. Um, I have to spend money on one of those little card computers as well. So, thanks for that. >> Honestly, 25 bucks well spent. >> Yeah, seriously. Yeah, don't go on the Pi website. It just money just goes away and then you have stuff in a pile. Sorry. Any more questions in the room? Here we go. I can pass you the mic almost. Do you want >> So, your target was connectivity into the network. Did you find any assets on the phone that developers had that they really shouldn't have had? that you can talk about. >> I've mean, you know, sensitive secrets, not

inappropriate. >> I've never not found anything a developer wasn't supposed to have on any of their devices. Um, nothing nothing crazy, but you know, like um keys that shouldn't have been there. Uh,

The key the key was have development phones. Don't don't use your personal phone that you're also using for whatever whatever viewing pleasure or whatever whatever else whatever else you're doing with it in your in your personal time. Have it have a separate device that's patched and just does what you know just does dev stuff. That was that was the big takeaway because yeah people people used them as their personal phones and did all the things people do on their personal phones. Separation of church and state is always a good thing, right? Any more questions in the room of people I can every time I look over there I go blind. So if there is anyone over there waving their hand

around just come this way a little bit. >> And if you have any other questions you don't want to ask here I will be in the bar. >> Excellent. That is a good place to go. I will be there shortly as well. >> Thank you. >> Amazing talk. Thank you all for coming to this session which is the last one in the IMAX. I do have some things to say, but first of all, we got a present for you. >> It's a Tesla. No, it's not. >> That's not a present. That's a burden. >> Thank you very much. >> You're very welcome. Uh, one more big round of applause because clapping is good. >> Yeah.

Three bottle of