Root Bridge – Android devices get pwned

Topic

New Reply

It had to happen sooner or later. Now Kevin Beaumont (@GossiTheDog) reports on DoublePulsar that: Android has a feature called Android Debug Bridge (A
[See the full post at: Root Bridge – Android devices get pwned]

5 users thanked author for this post.

SueW, WildBill, jburk07, columbia2011, Mr. Natural

Reply | Quote

Replies

I’m not too surprised.  I should rig something up and go grab a cup of coffee to see what kind of an issue this is.

Reply | Quote

Let’s hope it isn’t an android IoT coffee machine, or it looks like you might be having tea instead!

Reply | Quote

Quick note, it says on the ADB page that you need to accept a certificate in order to allow ADB connections from specific devices as of 4.2.2 (Jellybean, 2013-ish).  It also seems that you need to be in Developer mode now.

This mostly likely affects older Android-powered devices, and probably the cheap Chinese devices that aren’t certified to work with Google services.  For consumer devices, consider flashing the ROM or replacing if it can’t run Jellybean or newer.

Reply | Quote

I wonder how many Android-powered smart cars have been hacked through this vulnerability?

https://www.recode.net/2016/11/14/13601444/google-android-auto-automotive-car-tech

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Pretty easy to check the phone.
Enable DEV mode.
Ensure USB Debugging is not enabled.
As an extra step, revoke authorization for computers previously connected. In case someone had a prior connection.

Thanks for the info!

Reply | Quote

Meh… what’s the problem?

When I power on my android device, it phones home to mothership and often gets updates.

Surely google has long time ago patched this?

Reply | Quote

Related news article from Feb 2018 …
https://arstechnica.com/information-technology/2018/02/out-of-nowhere-currency-mining-botnet-infects-5000-android-devices/?comments=1

I think most Android smartphones are not affected since ADB is disabled by default.

Also, … http://www.tinmith.net/wayne/blog/2015/11/android-remote-adb.htm

Reply | Quote

Seems to be a China regional spying exploit. But if your device can receive updates remotely, then it is probably able to be exploited.

There are backdoors out there and that is a given, and system updates would be an access point.

Reply | Quote

IIRC android phones used to come with ‘Dev mode’ and ‘USB Debugging’ disabled at default otherwise the phone warranty was affected. When did this all change with google android?

I still use my Nokia mobile ‘dumb phone’. Great battery life and small enough to forget I have it in my pocket at times.

Windows - commercial by definition and now function...

1 user thanked author for this post.

HiFlyer

Reply | Quote

Dev mode doesn’t affect warranty status. I generally turn it and USB debugging on on my devices to use ADB to backup my nonrooted devices to my computer, when I’ve done major updates or had to replace a device (that backs up more for me than the inbuilt backup to Google Drive ever has).

1 user thanked author for this post.

HiFlyer

Reply | Quote

@mindwarp

Android’s ADB is automatically disabled or turned off when not in use, eg after the USB adapter cord has been unplugged.

ADB disabled is the default setting.

Previous reported malware infection of Android devices via ADB was by connecting Android smartphones to malware-infested computers, Power-banks and other USB devices.
ADB is not vulnerable per se.

Reply | Quote

You do still have to enable USB debugging on the Android device to run ADB on a computer to backup a device, which means enabling Dev Mode. That ties into the original comment, about doing so invalidating warranties, which it doesn’t. You’re not rooted just by doing that, after all. I did disable USB debugging and revoked certificates on my devices, and I’ll just have to remember to reenable it the next time I need to do a full scale backup like that.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device.

During research for this article, we’ve found everything from fuel tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea.

Sounds like the source of the problem is rogue vendors in China/East Asia, and not a vulnerability in Android = avoid buying no-name Android devices from China/East Asia.

About vulnerable DVRs in HK …
https://www.androidcentral.com/android-70-brings-better-dvr-features-and-picture-picture-android-tv

Reply | Quote

I wonder if the dangers inherent in the “everything is always connected” mindset will ever be recognized

1 user thanked author for this post.

MrJimPhelps

Reply | Quote

Jan K. wrote:

Meh… what’s the problem?

When I power on my android device, it phones home to mothership and often gets updates.

Surely google has long time ago patched this?

Besides even if Google had already patched it, which there is no mention of that, that doesn’t mean Android OEMs have. Remember, that’s the current problem with the Android ecosystem – after Google comes up with a new build, then manufacturers have to come up with their own variants for each currently supported device, and THEN the ISPs have THEIR turn if a device is specificly locked to a carrier. Also, depending on how far back this issue goes, many affected devices may never be patched.

1 user thanked author for this post.

Jan K.

Reply | Quote

Certain things still require operating system updates. Operating system-level features and support for new hardware standards can’t be rolled out in the background. They require new versions of the core operating system.

However, these updates are becoming less and less significant. Google is rolling out as many new features as possible via Play Services updates and app updates. They’re splitting out more and more apps from the Android operating system, making them available in Google Play so every device can update to them.

The reality is that Android updates are becoming less and less significant. If you have a device with Marshmallow (Android 6.0) or above, you still have a very modern Android experience with most of the latest features. You can still use all the latest apps because Google has given your device access to most of the latest APIs.

https://www.howtogeek.com/179638/not-getting-android-os-updates-heres-how-google-is-updating-your-device-anyway/

Reply | Quote

Thanks for the feedback!

I use an Acer A3-A30 tablet and do get updates from google.
Since everything Google Play is deactivated, I can only assume updates are for system?

But really surprised to learn not all devices’ systems aren’t directly under google’s protection.

Reply | Quote

I use an Acer A3-A30 tablet and do get updates from google.
Since everything Google Play is deactivated, I can only assume updates are for system?

Yes, the updates you’ve been getting directly from Google have been for the OS only, NOT the apps. Even with a fully updated OS, it’s still quite possible to get infected by a piece of crapware through a vulnerable program that hasn’t been updated.

Time to re-enable your Google Play services and Google Play Store so you can get updates for the apps in the store you may have on your tablet, such as Firefox or Chrome browser and whatever security application you may have, such as Lookout, for example. Those apps don’t get updated by Google when a security or other update for the OS is released.

Security apps should go out on their own and get their own definition or signature updates  without the help of the Google Play store, but they won’t update themselves if there’s a program update or bug fix. Those get pushed out via the Google Play Store almost exclusively.

So, having a vulnerable browser will only get remedied by getting the revised browser version from the Google Play store. Same goes for whatever security/anti-crapware solution you have…the program updates only come through the Google Play store.

3 users thanked author for this post.

Jan K., jburk07, SueW

Reply | Quote

Thanks.

I’m doomed! 😀

android is indeed version 5. Don’t have any apps from the store and my chrome browser has been rolled way back to the very old 57.02 version (last one with a decent bookmark handler…).

So my only defence is the updates google makes and my AdGuard filter (getting updates directly from them, not google)…

Well, it’ll have to do! Nobody can’t really do anything with this tablet as it’s after all only a gadget for browsing a.o. non-important stuff.

Reply | Quote

I just looked up your device. What was posted below about you getting updates for your OS as a whole from Google is incorrect. Check your settings – you should still be running Android 5.0 Lollipop, as Acer never released an upgrade to Android 6.0 Marshmallow for your device. Manufacturers vary widely on how long they support Android devices – the more you pay, the more likely you’ll get upgrades to two major versions, but that’s in the best case scenario – and Android comes out with a new major version every year. You are getting updates to Google apps via Play Services most likely, and that part from the quoted article will then somewhat apply, but the only devices that get Android updates directly from Google are Google devices (Nexus, Pixel, Android One).

Edit: part of why this is the case, IIRC, has to do with hardware. OEMs, including Google, have to test each build to make sure it works with their specific configurations. The OEMs and carriers then also test it with any preinstalled software. Bugs still get through, mind you, but that’s why there’s this weirdness. That’s also why they drop support, though, since OEMs and carriers have so many devices…

1 user thanked author for this post.

HiFlyer

Reply | Quote