In this modern digital world, we’re often most concerned with remote hacks and scams when it comes to device security — but physical access to a device can provide a major opportunity to a targeted attacker. That's the case with a set of (thankfully fixed) vulnerabilities found by Google's Project Zero team, which require access to a device's USB port. If you're a security buff, you might remember this from the September 2018 security patch, noted briefly as an issue that could "enable a local attacker to bypass user interaction requirements to gain access to additional permissions."
In other words, all the attacker has to do is plug a USB stick into your phone and, bam, they're in. Well, as long as they were clever enough to figure out how to exploit two key storage-related Android vulnerabilities while doing some light hardware creation. Simple.
Okay, not simple — but now there's an entire step-by-step essay about it up on Project Zero, so it's pretty accessible at this point. That's why timely security patches and version updates are so crucial (here's glaring at you, Android manufacturers that aren't Google, Essential, and BlackBerry).
And in case you’re wondering why Google does what it does — the company’s vulnerability disclosure policy requires it to adhere to a 90-day deadline before public reveal (unless the bug is being actively exploited, in which case it’s seven days). This is to give vendors time to issue a patch, but also to apply pressure to make sure that a fix happens.
That aside, allow this non-security researcher to guide you through an extremely simplified version of the Project Zero report:
Step 1: Identify the target and gain access
Get your hands on any Android phone running software that is pre-Android Pie and the September 2018 security patch. Plus, it has to support USB host mode, which is fairly prevalent. Google used the Pixel 2.
Step 2: Find your way in
The USB port is your foothold. When a USB stick is inserted into the phone, you can copy files between the phone's system and the stick — and even if the phone is locked, on Android versions before Pie, the device will still try to mount the USB. Thankfully, with Pie, Google created a fix that blocks USB sticks from mounting while the device is locked. The rest of the issues, detailed as we go on, were fixed with the August and September 2018 patches.
Step 3: Make contact
Plug the USB stick in. You're now communicating with the all-important kernel (the core of the phone's operating system), and vold, short for volume daemon, which handles the mounting of external storage and has kernel-equivalent privileges. It's going to investigate the partitions of filesystem types on the USB stick.
Step 4: Bug out
Now, the phone is going to look for three key attributes of each partition — label, unique identifier, and filesystem type. Older partition schemes can't store the latter two, so Android extracts that info itself, invoking a tool called blkid. It's therefore possible to fake your way in with a crafted label, a unique identifier chosen by you (a string of numbers called UUID), and one of a fixed set of types.
There's a flaw in how vold parses the UUID and type, so by playing with the data just right, you can trick the phone into mounting the flash drive into the wrong part of the phone's file system.
Step 5: There's a hitch
But wait! It's not that easy, there are limitations. For one, with the filesystem type that you're using, the label is limited to 11 bytes, and writing out the first part of your attack — 'UUID="' uses up six bytes alone. That leaves only five characters to type in a directory destination, and with that limit, you won't be able to get very deep into the system, so you can't wreak much havoc.
Step 6: Workaround
There are some filesystems types that have longer labels, but you'll have to make it through a separate set of checks. To make this work, you'll need to essentially provide different answers to the same question, so a regular USB drive won't do. This is where you break out the old Raspberry Pi and make a fake storage device that is capable of changing responses as needed. With this gadget, your path is clear to nabbing photos from external storage.
Step 7: Delve further
Need more than photos? Further trick the phone into thinking you're mounting a more secure USB stick (PrivateVolume, rather than PublicVolume). Do this by planting your own private key in what appears to be the phone's data, then mount a second device, which you can connect at that higher level of system trust using the key you made yourself. Now you can mount your own filesystem over the phone's user data, with your own rules. Because you control those permissions, you can let any process access files on your system.
Step 8: We're going deep
The zygote process is a good target. The zygote has access to almost all user data on the device. When it starts up on a system boot, you can inject your own malicious library of executable and linkable format (ELF) files, which will help you get an even higher level of control over the phone. One thing, though. When you attack, the zygote is already running.
Step 9: Time to crash
Find a way to kill the device, so you can inject the zygote while it's starting up. Google chose to trigger a crash by taking advantage of a bandwidth usage safety check that flips out if it can't write to disk and more than a certain amount of network traffic came in since the last successful write. It didn’t say whether this was also fixed.
Step 10: World (or phone) domination time
Your evil transformed zygote can bypass security checks and infiltrate the mechanism used to create dumps of crashing processes (crash_dump) in order to take over vold, giving you kernel-equivalent privileges.
Step 11: Even FURTHER
From there, it is possible for you to get from vold to the initialization process for security-enhanced Linux. After that, you can even get to the kernel, thus completely and totally gaining control of the device. A job well done.
Scary, fascinating, and extremely complicated stuff, right? The moral of the story being: nab those security updates as quick as you can, and never plug your phone into untrusted devices/cables. Our digital identities exist on incredibly complex and sometimes fragile systems — reports like this give us a clear reminder.
If you'd like to further dive into the details, check out the even more in-depth rundown in the source link.