Chris John Riley can break into your phone.
Well, that’s if you are running older versions of Box, LastPass, SpiderOak, Good for Enterprise, on Android. And Riley can do it all within less than 60 seconds.
“Will secure containers prevent me from getting secure data? We all know physical access means game over. But in this kind of age, secure containers should be able to prevent us from getting that data out, even if someone’s got physical access,” he said, speaking from SecTor, a Toronto-based security conference, on Wednesday. Then during his presentation, he proceeded to turn that idea on its head, showing how secure containers can still be broken.
Riley is a penetration tester and security researcher who has spent the last year and a half studying how Android apps can get hacked. He examined an attack scenario where a hacker would get physical access to a device – perhaps no more than a minute or two by pretending to borrow a phone for a quick call – and then be able to steal data from the phone.
To do this, Riley said he needs three key ingredients. The first one is the Android Debug Bridge (ADB), a feature of Android allowing users to sideload apps through a USB connection (meaning users can install and uninstall apps just through ADB). This also means iOS users have less to worry about, given iOS typically won’t allow users to access mobile devices through connecting to an unrecognized computer using a USB cable.
As a second ingredient, to tap into ADB, users would also need a USB cable connecting the device to either a laptop or another Android device. And finally, users also need access to the PIN unlocking a phone and bringing users to a home screen.
He noted getting a PIN can be as easy as asking someone else to borrow their phone under the pretext of making a quick phone call. And connecting a USB cable to another Android device is as simple as hiding a small cable within a jacket sleeve and then taking 30 seconds to gain access to an email folder.
For example, with LastPass, a password management tool that allows users to store all of their passwords in one place, Riley demonstrated it was possible to gain access to the four-digit PIN protecting all of those passwords. He showed how there was one line of code in LastPass allowing users to back up the data contained in LastPass.
The trick with LastPass is that users can only enter a password up to five times before the system locks them out and wipes the data inside. However, that being said, it’s possible to rewrite the code so a user could change the password attempt counter to 9,999.
While it’s not very easy to do, it’s still possible – and now with a four-digit PIN, a hacker could try to break in almost 10,000 times. With that many attempts, it’d be possible for a hacker to automate the process of attempting all of the different combinations possible, and eventually land on the correct one within a matter of hours.
And it can get worse, Riley added.
“It’s simple, it’s easy, it’s not that complex. For bonus points, let’s talk a little bit about persistence. So we’ve bypassed the PIN, and we know all the data on LastPass is stored in the cloud,” he said. “What if we take it back from Device A, and I borrow your device and do a quick backup of it. I then remove the PIN and rebuild the backup.”
“But instead of restoring the backup on your device, so I can bypass the PIN, I restore it to my device. So there’s no PIN anymore, but it’s still talking to the server. So what you end up [with] is a situation where I’ve copied your LastPass database, I’ve removed the PIN so I can get access to it without having to use the PIN, and it’s constantly going to keep syncing. So even if you change your password, I still win.”
Still, by this point, most of the companies Riley has named have since patched their vulnerabilities, including LastPass. (However, at the time of this writing, Box has yet to respond to the bug he has pointed out). And beyond these companies, Google itself has released updated versions of its Android operating system that make it less easy for hackers to take advantage of ADB.
Even so, for Android users who want to protect themselves from an ADB vulnerability, Riley has a few tips. One would be to get users to encrypt their devices, while another might be to disable the USB debugging feature that comes with certain Android phones. Users should also ensure they always update their phones to use the latest version of the Android OS. And of course, it always helps if users can avoid losing their phones, or having them stolen.
However, the ultimate goal of his research wasn’t to scare people or to make them believe they’re going to have their data stolen, Riley said. In fact, all of the apps he researched are still effective for most people. The only people who would have to worry about getting hacked would be individuals with highly valuable data stored on their devices – for example, a CEO – who would be valuable targets for hackers who want to make money from industrial espionage.
“For enterprise use, we need to spend more time thinking about how these products actually secure our data, and not how they say they secure our data. There’s usually a big difference,” he said in an interview after his talk.
“This is not the end of the world, it’s not like a huge vulnerability … If you’re storing company secrets on your phone, and you lose your phone, you have to appreciate there are possibilities.”