Breaking

Corporate Espionage via Mobile Compromise: A technical deep dive

This is a guest post from David Weinstein

Mobile devices play an important role in the business world. Yet with increased emphasis on the Bring Your Own Device (BYOD) model, defenses are not where they need to be to slow the loss of valuable intellectual property.

Corporate defenses have traditionally focused on the network, the endpoints, and not necessarily on the ecosystem of how these devices interact outside of network sockets. Smartphones bring unique network connectivity, an array of sensors, and can be overlooked by resources invested on IDS/IPS not being effectively leveraged.

Getting to the core of an exemplar attack, a Mobile Remote Administration Tool (RAT) is devastating. With access to the microphone, GPS/network location, camera, and an accelerometer, having control of a mobile device in a corporate setting is a dream for an attacker. We’ve improved an open source RAT and introduced a new feature, the ability to turn the mobile device into a virtual person sitting at the computer, able to type commands into the console.

Using a USB device to gain access to a computer is not new and the dangers of an unprotected port are extraordinary (see upcoming troopers talk, You wouldn’t share a syringe. Would you share a USB port? Bratus & Goodspeed). The takeaway from this particular talk is that the attack need not be performed from a specialized device (Teensy, Facedancer), like a thumb drive. The attack can be mounted from a common device that is routinely plugged into computers for charging or data transfer purposes… the Android mobile phone in your employee’s pocket!

Mobile devices with USB connectivity support the ability to operate as either a USB ‘slave’ or ‘master’ and can switch roles easily thanks to the USB On-the-go specification. Android uses the Linux-USB Gadget API Framework to support protocols such as Android Debug Bridge (ADB), Media Transfer Protocol (MTP), docking stations, and network tethering, among others. These features are very useful and are part of what makes use of mobile devices so enjoyable. Yet these features can be used together combined with HID keyboard emulation to mount an attack and gain a foothold within the corporate boundary.

The gadget API makes it easy for peripherals and specific gadget drivers to come together as a composite USB device, exposing a number of unique features simultaneously to the host or target enterprise system.

Let’s look a little at how Android (in drivers/usb/gadget/android.c) uses the gadget framework to implement some of its features:

static struct android_usb_function *supported_functions[] = {
   &adb_function,
   &acm_function,
   &mtp_function,
   &ptp_function,
   &rndis_function,
   &mass_storage_function,
   &accessory_function,
   &audio_source_function,
   &dm_function,
   NULL
};

Here we see that a number of function “drivers” exist for protocols like adb, mtp, ptp, ethernet over usb (rndis), as we expected. We can add our own new function, the ‘hid_function.’

static struct android_usb_function hid_function = {
   .name        = "hid",
   .init        = hid_function_init,
   .cleanup     = hid_function_cleanup,
   .bind_config = hid_function_bind_config,
   .attributes  = hid_function_attributes
};

And we’ll need to add it to the current set of supported functions…

static struct android_usb_function *supported_functions[] = {
   &adb_function,
   &acm_function,
   @@ -828,6 +1016,7 @@ static struct android_usb_function *supported_functions[] = {
   &accessory_function,
   &audio_source_function,
   &dm_function,
   &hid_function,
   NULL
};

We’ll need a keyboard descriptor to represent what our USB device is to the framework, but also this descriptor is how the host system determines what the USB device is:

/* hid descriptor for a keyboard */
static struct hidg_func_descriptor hid_kb = {
   .subclass           = 0, /* No subclass */
   .protocol           = 1, /* Keyboard */
   .report_length      = 8,
   .report_desc_length = 63,
   .report_desc        = {
       0x05, 0x01,  /* USAGE_PAGE (Generic Desktop)?          */
       0x09, 0x06,  /* USAGE (Keyboard)                       */
       0xa1, 0x01,  /* COLLECTION (Application)               */
       0x05, 0x07,  /*   USAGE_PAGE (Keyboard)                */
       0x19, 0xe0,  /*   USAGE_MINIMUM (Keyboard LeftControl) */
       0x29, 0xe7,  /*   USAGE_MAXIMUM (Keyboard Right GUI)   */
       0x15, 0x00,  /*   LOGICAL_MINIMUM (0)                  */
       0x25, 0x01,  /*   LOGICAL_MAXIMUM (1)                  */
       0x75, 0x01,  /*   REPORT_SIZE (1)                      */
       0x95, 0x08,  /*   REPORT_COUNT (8)                     */
       0x81, 0x02,  /*   INPUT (Data,Var,Abs)                 */
       0x95, 0x01,  /*   REPORT_COUNT (1)                     */
       0x75, 0x08,  /*   REPORT_SIZE (8)                      */
       0x81, 0x03,  /*   INPUT (Cnst,Var,Abs)                 */
       0x95, 0x05,  /*   REPORT_COUNT (5)                     */
       0x75, 0x01,  /*   REPORT_SIZE (1)                      */
       0x05, 0x08,  /*   USAGE_PAGE (LEDs)                    */
       0x19, 0x01,  /*   USAGE_MINIMUM (Num Lock)             */
       0x29, 0x05,  /*   USAGE_MAXIMUM (Kana)                 */
       0x91, 0x02,  /*   OUTPUT (Data,Var,Abs)                */
       0x95, 0x01,  /*   REPORT_COUNT (1)                     */
       0x75, 0x03,  /*   REPORT_SIZE (3)                      */
       0x91, 0x03,  /*   OUTPUT (Cnst,Var,Abs)                */
       0x95, 0x06,  /*   REPORT_COUNT (6)                     */
       0x75, 0x08,  /*   REPORT_SIZE (8)                      */
       0x15, 0x00,  /*   LOGICAL_MINIMUM (0)                  */
       0x25, 0x65,  /*   LOGICAL_MAXIMUM (101)                */
       0x05, 0x07,  /*   USAGE_PAGE (Keyboard)                */
       0x19, 0x00,  /*   USAGE_MINIMUM (Reserved)             */
       0x29, 0x65,  /*   USAGE_MAXIMUM (Keyboard Application) */
       0x81, 0x00,  /*   INPUT (Data,Ary,Abs)                 */
       0xc0         /* END_COLLECTION                         */
   }
};

A standard Android gadget function must implement a few functions, an init, cleanup, and bind_config functions:

static struct android_usb_function hid_function = {
   .name        = "hid",
   .init        = hid_function_init,
   .cleanup     = hid_function_cleanup,
   .bind_config = hid_function_bind_config,
  .attributes   = hid_function_attributes
};

These functions are callbacks for the framework that will be executed when appropriate. It turns out that the gadget framework already has a very helpful template for the HID gadget located in drivers/usb/gadget/f_hid.c, so we can use this implementation and just need to “glue” the Android gadget to the existing HID gadget implementation in the common kernel source tree. When we are done we’ll have a new device in the /dev tree called hidg0 which can be used to write USB HID keyboard scancodes. In essence we’ll then be able to send a keystroke from the phone to the host with a simple echo command on the phone:

$ echo -ne "\x00\x00\x04\x00\x00\x00\x00\x00" > /dev/hidg0 # send 'a' button down
$ echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00" > /dev/hidg0 # all buttons up

For the rest of the details, well you’ll have to wait for the talk 😉

About the author:

David Weinstein is a mobile security researcher at viaForensics (http://www.viaforensics.com).

viaForensics is a leading-edge provider of mobile security products, committed to advancing the state of mobile security worldwide. Our unique mobile security products and services provide broad coverage for the large mobile security attack surface, including mobile devices, apps and end users. As mobile apps and devices proliferate in the workplace, viaForensics’ products allow companies and governments to be proactive rather than reactive in their approach to security. Founded in 2009, viaForensics has established strategic partnerships with Fortune 500 companies as well as small and mid-sized enterprises, while also working closely with numerous government agencies.

Leave a Reply

Your email address will not be published.