Vulnerable Out of the Box: An Evaluation of Android Carrier Devices

DEF CON 26

Presented by: Ryan Johnson, Angelos Stavrou
Date: Friday August 10, 2018
Time: 12:00 - 12:45
Location: Track 1

Pre-installed apps and firmware pose a risk due to vulnerabilities that can be pre-positioned on a device, rendering the device vulnerable on purchase. This means that the vulnerabilities are present even before the user enables wireless communications and starts installing third-party apps. To quantify the exposure of the Android end-users to vulnerabilities residing within pre-installed apps and firmware, we analyzed a wide range of Android vendors and carriers using devices spanning from low-end to flagship. Our primary focus was exposing pre-positioned threats on Android devices sold by United States (US) carriers, although our results affect devices worldwide. We will provide details of vulnerabilities in devices from all four major US carriers, as well two smaller US carriers, among others. The vulnerabilities we discovered on devices offered by the major US carriers are the following: arbitrary command execution as the system user, obtaining the modem logs and logcat logs, wiping all user data from a device (i.e., factory reset), obtaining and modifying a user’s text messages, sending arbitrary text messages, and getting the phone numbers of the user’s contacts, and more. All of the aforementioned capabilities are obtained outside of the normal Android permission model. Including both locked and unlocked devices, we provide details for 37 unique vulnerabilities affecting 25 Android devices with 11 of them being sold by US carriers. In this talk, we will present our framework that is capable of discovering 0-day vulnerabilities from binary firmware images and applications at scale allowing us to continuously monitor devices across different manufacturers and firmware versions. During the talk, we plan to perform a live demo of how our system works.

Ryan Johnson

Ryan Johnson is a PhD student at George Mason University in Fairfax, VA. His research interests are static and dynamic analysis of Android apps and reverse engineering. He is a co-founder of Kryptowire LLC.

Angelos Stavrou

Dr. Angelos Stavrou founded Kryptowire LLC, and he is an Associate Professor at George Mason University (GMU) and the Director of the Center for Assurance Research and Engineering (CARE) at GMU.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats