17
Aug
unnamed

When it comes right down to it, few things are much scarier than finding out somebody can track your movements, read your call log and text messages, and even record audio and take pictures of whatever the phone can get, all without your knowledge. Here's the thing - as careful, security-conscious people, many of us already install software like that for our own purposes, usually to recover a phone in the event it should fall into the hands of thieves. Like a weapon intended for protection, sometimes our best defenses can be turned against us.

It was recently discovered that Cerberus anti theft, a tool we've talked about a few times in the past, has a weakness in its network protocol that allows a determined hacker to use brute-force methods to find the IMEI numbers of user devices and ultimately invoke any of Cerberus's functions. As many users are aware, the app is quite powerful and capable of many things, particularly on a rooted device.

cerberus

News of the weakness surfaced yesterday on a site called pauls blog, giving some details and background of the exploit and its implications. As described in the post, Cerberus's server does most of its communication with users (on both the app and the web interface) using only a phone's IMEI number in place of the common practice of generating an access token. The problem with doing this is that the 15-digit IMEI numbers unique to each phone are fairly predictable. It starts with an 8 digit Type Allocation Code (TAC) specific to each model of phone, followed by 6 digits belonging to the individual phone, and ends with a single mathematically generated digit to act as a checksum to verify the previous 14 digits are correct. This means that a hacker intent on targeting a single model of phone will only have to try 1 million possible IMEI numbers. With some additional work, these IMEIs can also be matched to usernames, and the passwords can be easily reset, if desired.

page
Top of the management page with phone selector dropdown.

header
HTTP Header requesting an update from the server.

The implications of this vulnerability are potentially disastrous for some users. Regular hackers rarely care much about call log or location history unless they already know who you are, but imagine if a determined individual could read your text messages, record audio from your microphone, snap pictures using a front-facing camera, or even worse - remotely wipe your device.

Luca Sagaria of LSDroid, the developer of Cerberus, has made a statement that the issue is already fixed in the upcoming final release of Cerberus 2.4. Since the real weakness is in the server protocol, an update to the app is likely needed to switch over to a new communication protocol. Paul has since updated his blog post to clarify that the flaw is present in the currently available beta version, which the Play Store entry lists as having been last updated on July 11th. Hopefully, the fix can be published before anybody is harmed by this exposure.

Update: Luca and Paul have confirmed that the issue is fixed on the server, and an updated version of the app is expected to be released August 18th or 19th. It's possible the current version of the app may not be fully functional, but the potential for exposure through the server has been removed.

If you are concerned with the safety and security of your devices running Cerberus, it is possible to remove the threat with a couple of methods. The simplest route for most people will simply be to uninstall the app, which removes any chance of it being remotely exploited. As an extra step, you can log into the website and remove your devices from the system, eliminating the potential for an attack that could expose your username and IMEI numbers. Alternatively, if you're rooted, you can temporarily freeze Cerberus using Titanium Backup or similar apps, wait for the fix, and then unfreeze it.

Source: pauls blog

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • Alex Flynn

    Oh man. Freezing!

  • Brandon Jiang

    i dont have anyone after me and would be this determined to do this. i shallnt worry

    • Chris

      The NSA

      • kyrios

        Yeah, well, I'm sure the NSA (even if they were after me) has the resources to get what they want, Cerberus or not.

  • Redkite

    Preyproject.com

    • Paul Henning

      $5 monthly fee and no OS integration. No thanks.

  • Tx Redneck

    @Android Police, yall should edit the article to include the post/statement from the device. It's as follow.

    "Luca Sagaria
    I'm sorry for the one-liner, I was (and am) working round the clock to fix everything and planned to release a statement later.

    Anyway, server-side the bug was fixed yesterday. This means that the exploit won't work, and you can safely keep Cerberus (whatever version you have) installed on your device. I know the guy who found the exploit says otherwise, but that's not true. Here is the IMEI number of my Nexus 4: 356489051656994, in case he wants to send a wipe command to the phone and prove me wrong.

    An update of the app will be published tomorrow or on Monday, and after that we will release a longer statement. Thanks for your patience.

    --
    Luca Sagaria
    Cerberus support
    http://www.lucasagaria.com
    https://twitter.com/lsag"

    • http://www.androidpolice.com/ Artem Russakovskii

      We'll update in just a bit.

    • briankariu

      I had already revoked administrator and root rights. Seems I was just being paranoid :)

  • Pradeep Viswanathan R

    PHP!

    • Haden

      LONG LIVE!

  • John

    A determined hacker? That's like saying you're going to win the lottery. Also, I swear I read an article earlier this year about the same thing. It will have been fixed by now.

  • Marco Antônio

    It's very convenient to see a post like this, exposing a "so huge" threat of a very big brutal force investment to find your IMEI AND you PASSWORD just a little time after the announcement of the Google's own app of this kind of service... isn't it?! What could smell something in the air....

    • http://www.androidpolice.com/ Artem Russakovskii

      I'm not even sure what you're implying exactly...

      • Steve Giralt

        Another person who thinks that "Android Police" means you are a Google/Android entity

        • cabbiebot

          Seriously? There are people that think that AP shills for Google? That is hilarious. There are other sites that shill but this is not one of them.

      • n0th1ng_r3al

        He is implying that he is an idiot.

    • Scott

      You need to lay off the crack...

  • Mr. Mark

    "...or even worse - remotely wipe your device". uhhh, im pretty sure recording audio/video and taking pics remotely to spy on me while i'm beating off is worse than remotely wiping my device. if they were to remotely wipe my device, they wouldn't be able to spy on me or ex-filtrate data anymore. if anything, they'd be doing me a favor...

  • lordmerovingian

    So basically if I'm NOT running this app in the first place I'm not in any threat of having a determined hacker getting to control my device via a flaw in Cerberus's servers? OK.

  • Magneira

    Ow i thought i was reading the verge with that headline, pretty sensationalist... nothing to see here that is really scary, just move along people...

  • Mervyn Bailey

    Hi,
    It seems the Cerberus app in my phone has been compromised by malware. I cannot uninstall it, I put in my username and password (correctly) only to be told "wrong username and password".
    While that happens, I cannot override the administrator controls to uninstall the app and remove the malware. Does anybody have any suggestions?
    Thanks, bigmerv8@gmail.com