Yes, this scared me out too. So apprantly your android device can be hacked very easily. Here is a link to the video that shows you how, though its about 1 hour long. If you would rather want to know the gist of it than watching it the whole way through, read on!
And for those who want to watch the video: http://revision3.com/hak5/the-android-kos-attack
User scenario A: You have rooted your phone and adb access (USB debugging) is active - this case it makes it very easy for the hacker to gain access. To begin with there is a tool that is installed on the hacker's phone, lets call it phone A. Now you leave your phone (Phone B) alone in a party or a public place, the hacker gets his chance and connects his phone to yours using a USB OTG cable which he/she obviously carries. Runs a script on phone A which takes advantage of an android api that allows the script to run an application over the lock screen!
Once the application is runnig, you can open the main menu and do what not! The basic idea is to go to the home screen and then, if needed, root the phone, steal the authentication token and even log in to your google account! Needless to say that it can also steal your pictures and all apps' dbs.
User scenario B: No root, only USB debugging active - well in this case, its a bit tough to access the /data/data partition and hence the phone A reads the MTP protocol and can still steal all the media that your android phone allows via MTP. The lock screen is bypassed by using the api vulnerability as I explained in the previous point.
So what can you do to make sure it doesn't happen. To begin with, the hacker needs access to your phone. You can make sure that you don't leave your phone alone.
Another point to consider, do not connect your phone to random USB ports to get some charge! You never know what's behind that USB port. All this can easily be done on a laptop as well, so always good to be careful. Carry a battery pack or the charger with you at most times. In the video its also shown how he can enclose a small hacking USB machine in a small box that looks like a battery charger, funny thing is, it will start charging so you won't even notice that it is not a real charger! So stay away from wary looking chargers.
Last and the most effective, deactivate USB debugging at all times! If you need it, activate it when you need. Also if you root, make sure to lock the boot loader. So there it is!
PS: The scenario B holds for the iPhone users as well. The iPhone's MTP can be used to transfer and steal the data!
And for those who want to watch the video: http://revision3.com/hak5/the-android-kos-attack
User scenario A: You have rooted your phone and adb access (USB debugging) is active - this case it makes it very easy for the hacker to gain access. To begin with there is a tool that is installed on the hacker's phone, lets call it phone A. Now you leave your phone (Phone B) alone in a party or a public place, the hacker gets his chance and connects his phone to yours using a USB OTG cable which he/she obviously carries. Runs a script on phone A which takes advantage of an android api that allows the script to run an application over the lock screen!
Once the application is runnig, you can open the main menu and do what not! The basic idea is to go to the home screen and then, if needed, root the phone, steal the authentication token and even log in to your google account! Needless to say that it can also steal your pictures and all apps' dbs.
User scenario B: No root, only USB debugging active - well in this case, its a bit tough to access the /data/data partition and hence the phone A reads the MTP protocol and can still steal all the media that your android phone allows via MTP. The lock screen is bypassed by using the api vulnerability as I explained in the previous point.
So what can you do to make sure it doesn't happen. To begin with, the hacker needs access to your phone. You can make sure that you don't leave your phone alone.
Another point to consider, do not connect your phone to random USB ports to get some charge! You never know what's behind that USB port. All this can easily be done on a laptop as well, so always good to be careful. Carry a battery pack or the charger with you at most times. In the video its also shown how he can enclose a small hacking USB machine in a small box that looks like a battery charger, funny thing is, it will start charging so you won't even notice that it is not a real charger! So stay away from wary looking chargers.
Last and the most effective, deactivate USB debugging at all times! If you need it, activate it when you need. Also if you root, make sure to lock the boot loader. So there it is!
PS: The scenario B holds for the iPhone users as well. The iPhone's MTP can be used to transfer and steal the data!
Comments
Post a Comment