Security Street Knowledge
  • Collecting Android DNA through Leaky Wireless Packets
  • As a user of a smartphone, you should have an interest in the security of mobile devices.  With so much concern around mobile devices on corporate networks, security researchers are seeking to know if any mobile security issues could be leveraged to steal personal data.  In doing so, I found a small but meaningful flaw in the way mobile devices leak information that could be useful to a potential hacker.

    One such finding was a talk by security researcher MJ Keith of AlertLogic at the NAISG HouSecCon, who discussed a few Android application vulnerabilities that if exploited could expose your mobile application information to a would be data thieves.

    …every app has the ability to access (not write) the sdcard and read information. The issue is that if you have a mail client or something else that stores “secret” data on the sdcard and you download evil_screensaver app that has internet access the evil_screensaver can read the “secret” data from the sdcard and phone home with that data” – says MJ.

    MJ Exploit: Android 2.0-2.1 Reverse Shell Exploit
    Demonstration: Exploit on YouTube

    During my own research, I uncovered that some Android vendors use the MEID as part of your hostname when attempting to join a wireless network.  They do this by auto-generating a unique hostname within the BOOTP packet that contains the name (Android + MEID number).  So why is this a bad idea?  Well friends, the MEID is supposed to be a “secret”.  Even before Smartphone’s with dumb applications existed, the MEID was the primary way your service provider could absolutely and uniquely identify your device on their network.  So sharing your MEID with potentially hostile applications and WiFi hackers sitting in their favorite coffee shop is just F’n-STUPID!  It is just like sharing your SSN with the WORLD!  So this is why I consider the MEID for a mobile phone to be the DNA that runs through the blood of an Android device.

    PREDICTION – in the future there will be many disclosures of mobile application vulnerabilities where the application (by design) will use the MEID either as a security control or as a unique way of storing your application information online.  THE FUTURE IS NOW – one such example is a specific issue that MJ Keith uncovered in a popular mobile device backup application called MyBackup Pro by RerWare LLC.  MJ discovered that MyBackup Pro will auto-magically use your MEID as part of the identification process to access your online backups during an HTTP POST.  Knowing the MEID, a hacker can use this vulnerability to access your data, upload or replace your backup information.  If successful, it would then be possible to infect thousands of users with a malicious Trojan upon a backup restore!

    So what if a hacker was able to figure out a way to discover valid MEIDs? Unfortunately thanks to the way the HTC Incredible does a wireless DHCP REQUESTS, there is a simple method to passively collecting MEIDs.  It is trivial to collect MEIDs for Android devices by passively sniffing for a certain type of BOOTP packet, also known as a DHCP DISCOVER REQUEST.  These packets are emitting almost constantly from mobile devices while wirelessly connected to a network.  In this particular demonstration, I used Wireshark and created a filter to discover Android MIEDs.   In addition, I found it interesting to discover other mobile devices such as iPhone, HTC and Blackberry devices by filtering on keywords found deep within a BOOTP packet (HEX).

    Discover MEIDs by sniffing DHCP DISCOVER request using Wireshark

    1.      To discover only Android devices including MEIDs, use Wireshark filter:

    a.      To Find ‘android’ – bootp.option.value contains 61:6e:64:72:6f:69:64

    2.      To discover only Blackberry devices that include partial PIN NUMBERS use Wireshark filter:

    a.      To find ‘BLACKBERRY’ – bootp.option.value contains 42:4c:41:43:4b:42:45:52:52:59

    3.      To discover only iPhone devices use Wireshark filter:

    a.      To find ‘iPhone’ – bootp.option.value contains 69:50:68:6f:6e:65

    4.      To discover all HTC devices use Wireshark filter:

    a.      To find ‘HTC’ – bootp.option.value contains 48:54:43

    5.      To discover mobile devices on a network via the BOOTP DISCOVER method combine all Wireshark filters:

    a.      bootp.option.value contains 61:6e:64:72:6f:69:64 or bootp.option.value contains 42:4c:41:43:4b:42:45:52:52:59 or bootp.option.value contains 69:50:68:6f:6e:65 or bootp.option.value contains 48:54:43

    Tool Needed: Mobile Device Sniffer

    It would be great to see someone create a discovery tool that was specifically designed to sniff network traffic for mobile devices using this method.  This tool could be accomplished by using SCAPY, TSHARK, TCPDUMP or LIBPCAP.  Challenge anyone?

  • Comments: Off Category: Uncategorized
  • Tags: , , , , , , , , , , , , , , , , , , , ,

Comments are closed.