When it comes right down to it, few things are much scarier than finding out somebody can track your movements, read your call log and text messages, and even record audio and take pictures of whatever the phone can get, all without your knowledge. Here's the thing - as careful, security-conscious people, many of us already install software like that for our own purposes, usually to recover a phone in the event it should fall into the hands of thieves. Like a weapon intended for protection, sometimes our best defenses can be turned against us.

It was recently discovered that Cerberus anti theft, a tool we've talked about a few times in the past, has a weakness in its network protocol that allows a determined hacker to use brute-force methods to find the IMEI numbers of user devices and ultimately invoke any of Cerberus's functions. As many users are aware, the app is quite powerful and capable of many things, particularly on a rooted device.

cerberus

News of the weakness surfaced yesterday on a site called pauls blog, giving some details and background of the exploit and its implications. As described in the post, Cerberus's server does most of its communication with users (on both the app and the web interface) using only a phone's IMEI number in place of the common practice of generating an access token. The problem with doing this is that the 15-digit IMEI numbers unique to each phone are fairly predictable. It starts with an 8 digit Type Allocation Code (TAC) specific to each model of phone, followed by 6 digits belonging to the individual phone, and ends with a single mathematically generated digit to act as a checksum to verify the previous 14 digits are correct. This means that a hacker intent on targeting a single model of phone will only have to try 1 million possible IMEI numbers. With some additional work, these IMEIs can also be matched to usernames, and the passwords can be easily reset, if desired.

page
Top of the management page with phone selector dropdown.

header
HTTP Header requesting an update from the server.

The implications of this vulnerability are potentially disastrous for some users. Regular hackers rarely care much about call log or location history unless they already know who you are, but imagine if a determined individual could read your text messages, record audio from your microphone, snap pictures using a front-facing camera, or even worse - remotely wipe your device.

Luca Sagaria of LSDroid, the developer of Cerberus, has made a statement that the issue is already fixed in the upcoming final release of Cerberus 2.4. Since the real weakness is in the server protocol, an update to the app is likely needed to switch over to a new communication protocol. Paul has since updated his blog post to clarify that the flaw is present in the currently available beta version, which the Play Store entry lists as having been last updated on July 11th. Hopefully, the fix can be published before anybody is harmed by this exposure.

Update: Luca and Paul have confirmed that the issue is fixed on the server, and an updated version of the app is expected to be released August 18th or 19th. It's possible the current version of the app may not be fully functional, but the potential for exposure through the server has been removed.

If you are concerned with the safety and security of your devices running Cerberus, it is possible to remove the threat with a couple of methods. The simplest route for most people will simply be to uninstall the app, which removes any chance of it being remotely exploited. As an extra step, you can log into the website and remove your devices from the system, eliminating the potential for an attack that could expose your username and IMEI numbers. Alternatively, if you're rooted, you can temporarily freeze Cerberus using Titanium Backup or similar apps, wait for the fix, and then unfreeze it.

Source: pauls blog