orjan cyber security secur ninja hey everyone I'm Alicia why would secure ninja tv and I'm here at Def Con 22 now speaking with Todd Beardsley he is the pirate captain of metasploit framework at rapid7 that's quite a title how are you Todd I'm doing excellent Alicia awesome it's always good to see you always get to talk with you what the heck is a pirate captain the boring version of that title is engineering manager and so but it's it's it's somewhat piratical because it's I work on open source software you know and so our security all the time and there are hundreds of people that that contribute to this and so my job is kind of like you know just get him on the ship and again keep going you know and they're they're all they're all here so that's that's why I come so you've got you're the captain of a pirate ship of hundreds of people yes and they're all here and they're all here many of them not all of them not all of them but many many are here and and the great for me the great thing about def con is that I get to see people that I've worked with that I respect that we we get along and I've never seen him in person you know there's I met just today Spencer McIntyre he's been doing a lot of work with us lately Oh Jay Reeves who everybody loves also known as the colonial he's he's here in town I mean I can name drop all the time here that's up but yeah I mean we just just I I every year I meet at least two or three people I've never met before and it's great it's great right so I talk to you at a bunch of different shows but it's safe to say that def con is really where your crowd is at the metasploit crowd exactly these are my people are your people and I'm and I everybody usually comes here at least one hunts like it's it's harder to find a metasploit contributor at some other shows that you know three letter acronym shows but at Def Con it's it's quite easy to run into them I probably talked to 20 today yeah so so yeah it's definitely a cool crowd and you're definitely not the only person who brought your laptop here to the show today but you did bring it because I think you might want to show me something cool I do we have been noodling around on Android devices a lot like how to own Android what you're gonna do like once you've already owned android stuff like that this is this is my sample phone it's a kyocera some other it's it probably about a hundred hundred twenty dollar phone so a little bit low end I guess for like rich hacker types like you and me but but it's fairly recent it's out of the box it's got all its updates the and this bug is just super persistent it's called the webview add JavaScript interface bug it's we have been working with this we add meta suede and we as the security industry have been on this for like three years and there's been assurances from the Google who like maintains Android oh yeah it's been fixed its patched that between us and so we think about seventy percent of Android devices out in the world that are on that report in are vulnerable to some form of this attack with via this bug the ACL ACL u– thinks it's more like ninety-five percent so i don't know where where it is really it depends kind of on how you count and so what I'm going to show you today is this phone which is nominally not vulnerable it doesn't have the vulnerable version of this software can become vulnerable quite easily by just downloading fairly popular apps from Google's Play Store so you know I know you know the advice of like well you should never sideload apps you should always go to the Play Store because it's safe well not so much so we're we're gonna go through that today alright well let's see what you got i'm looking forward to seeing this so here we are this is a Miss blade framework console this is the command line new thing this is the free and open-source interface that most people are using I think you know I would like more people to use the pro but you know for the framework is great so what we're going to do is we're already I've already kind of stage this up I'm on the web view a JavaScript interface exploit here this is a big wallet text that talks about it and what we've got going on here is that basically what i'm going to do is I'm going to fire up a web server I'm going to that is serving this exploit I'm going to visit it with this phone two times i'm going to visit at first with the stock browser to show that it's not vulnerable and then i'm going to use this this alternate browser that's that's really popular it's got a few million downloads it's kind of big in asia it's not chrome or anything like that but it's it's popular and it's from the google play store so community that this is boots I'd info we're gonna do show options just make sure I got all my stuff's and I'm on reverse TCP that's good okay so the other interesting thing about this is that this payload is the version of meterpreter for Android I've talked about meterpreter before on this very show or whatever this is and meterpreter is our is our stock rootkit backdoor persistence module everything it's like it's the kitchen sink of what to do after you you you pop the vulnerability so it's interesting because this is the android version which is kind of new for us and we're always working on it we just did some updates to it just a couple weeks ago so it should be solid and but we'll find out right now so we're gonna hit run you know here's the ER I'm just on a local network I could be doing this over the internet it's no big deal this is a little bit less logistically difficult in the middle of a conference the pull of hackers to just do a locally so i'm using this URL right here this is when I tmobile 168 43 169 easiest thing to do is just come over to this QR code which matched directly to that so I'm going to fire up my barcode scanner there it is your skin Alicia and no bar codes and we're going to scan this okay see that we already talked to it but that's okay because barcode scanner at least is not vulnerable to this so that's good we're gonna go to the browser right here it's thinking about it thinking about it it's gonna going to serve the exploit it's not going to work this is not going to wear guarantee because this is the stock android browser which is not vulnerable to this anyways been patched in 42 I think of Android and this this operating system here is that for I think 42 or 43 one of the other I can hook it up later so but that's fine so look at that no no shells were really sad so we're gonna go back to the QR code we're going to do this again we're gonna open browser now I'm going to use my my aftermarket browser this guy right here going to fire up and hopefully this works I'm serving the expert there we go okay so we see up here that I've got a session according to this I have a session now on my phone which means I have a terminal in there we're going to just put this to the side to do so I have a matter procession where identified as Java worked the Android interpreter is technically the Java meterpreter with some slight modifications we're gonna interact with this I'm in a LS and so now I see like whatever direct the working directory of the browser that's what I'm in right now so I have no idea what this google hot word is I've never actually seen this before so let's see what this is maybe it's look at that it's a bunch of stuff Ione and they're like names of people I don't know what that is so what we're gonna do is we're gonna change directory like to do and now I'm tree as you can see like I can treat my phone on computer now with no authentication I didn't type in a username and password or anything like this so what this browser is effectively as a back door at this point cuz this bug is so old this browser is a back door into my phone which and it's like I said it's available in the Google Play Store so all the advice you've ever heard of like oh don't sideload apps don't get them from places you don't trust that kind of doesn't apply here because this thing is from a place I trust from going real vendor millions downloads vetted available today on google play store and it is a backdoor so what we're going to do is I think in the main director here we can go to SD card this is where you save like all your pictures and downloads and stuff I nearly have the permissions of the browser but you can see I can do kind of a lot of things here I can go to the downloads and this is where I you keep like this is the place I keep my dose coin wallet right so I'll look at my dog whines and it's probably easier to scoot this way cat knows Oh home and it's the backup of my wallet so there you go that's this you shouldn't be able to get at like ever it's encrypted there but all you have to do at this point is grab this string run a decryption on it and it's a normal password that someone's likely to type in on a phone it's going to be short it's going to be easy and it's going to fall over fast by the way can get into your judgment and then they can steal all my millions of dogecoins I know and I love each and every one of them you know you could obviously I like dogecoin bitcoin is the same deal def coin is the same deal like when is it oh so that's where like all those backups are but here's some cool buddy help here because i'm gonna i'm in a matter pradoor michelle here so i can do webcam this stuff is really neat what cam list and so yeah this guy has a camera right let's go to Cameron's got her camera it's a little more dramatically at a front camera but it doesn't but if it did I would just pick that one and I can do something along these lines I could do webcam if you don't mind Alicia being my model I'll just do it I don't know line it up or anything usually like does it sideways what I do is snap and so I can take pictures off of my victim found maybe that's a bit with Judy this way maybe I think maybe that way that this might be upside down I don't know i'm not very good spatially and I can do this all day long right up that is upside down let's try one more time so there we go it's a little dark cameras little crappy yeah but they're so I have a lot of control over this phone by just merely being the browser that's really now I know what this bug is if you have something along these lines on what is it it's the thing the google thing you're wearing your face the glass yeah if you trigger this bug on the Google bless the default browser permissions on that gives you a lot more because Google glass needs a lot more stuff so if you cuz if I'm gonna talk and do hangouts and dictate things and all that like the browser is effect is like that close to me so which basically means i get a shell on that thing on your face a little bit creepy and maybe someday this buzzle be behind this but it's been almost three over three years and has not yet i hope this will get resolved somehow someday the problem is is that it's it's this whole supply chain that MIT puts this phone in my hand right because we've got google who does android and then I have a phone manufacturer kyocera who makes the phone and I monkeys with it a little bit I've got the carrier which in this case is Boost Mobile and they put on their own things and then I have like the retailer where I get it from like you like best buy or walmart or something which is where you get these phones these are off the shelf like burner phones but I'm sorry burner phone I remembered for drug dealers I'm not what it is but for four month to month phones like that's where this is so like who do you who do you who is responsible for like patching this thing and then you have all the millions of app developers out there yeah so I don't know how to solve this today like clearly we solve this with like regular computers like 10 years ago now like we just have windows updates and it all works and it has patches I have notified the vendor of this over Twitter like three months ago and they responded immediately I was really surprised oh yeah we'll take a look at that thanks for letting us know nothing you have to that so I don't know it'sit's and you see I get a little depressed about this like it hasn't been solved the phones are ubiquitous you know I've got one right here and I can like instantly make this dude which is like a real phone it's kind of expensive last it's last year's Nexus or whatever yeah but the fact that i can get like backdoored from an app in the Play Store is just a disaster i think it's a huge disaster so an Android user there's nothing they can do to protect themselves against this bug they're buying from the you know a trusted vendor and they're doing all the things that they're doing doing everything right they're getting their updates and yet they're still vulnerable to like backdoor II sort of exploits like this and I know like technically a backdoor is something that was put in there intentionally but if I wanted a back door phones like this is exactly i would you I would just ship bugs oops you know like that's what i would do you know I'm not even getting it in trouble for it it's like well you know these guys are doing everybody's doing it there are lots of apps that this is that that are vulnerable to this book big part of this is the like the libraries that are used by the ads in free apps you know they're all little tiny web browsers to and if I control one of those and I can you know snap pictures of you on your phone so so yeah I don't know what I don't know what users can do other than talk talk to Google ok make it make a stink I know the ACLU like i said is aware of this problem you know in the US FTC is aware of this they want to know something to do but they want to know they want ideas to of how to do this I know Google's aware of it they had floated something a while ago about how they were going to they were going to do some security checking before you get into the App Store which they were kind of supposed to be doing already but they were gonna be more serious about it where it while it was technically it was like if your phone is not up to like a latest dish version of Android you won't be able to talk to the app store anymore but as we can see it doesn't really matter because I can still package up this exploit in an app itself so so yeah yeah well we'll definitely you know take this interview and put it out there to google and everybody and maybe something something good will happen because of it that's why we published my ex play modules like this it's just a show like how bam bam bam and bam how easy it is to do for somebody who's not all that smart to to knock this out where somebody who was really smart and evil you know they would they would go a lot farther with this and and steal all your dogecoins or something do you know one thing you've clarified for me that's really been on my mind because i know you're a big fan of the dogecoins exactly and my head I'd be like dougie coins i don't like i don't think it's dougie I think it's like I I just I didn't know and now I know so thank you for that time canonical on that it's okay we're very accepting here in in the dogecoin community and the DEF CON community do you come down to doggie rancid oh gee I like those there there's a couple other runners it some people just say dog ok so my brain kind of was correct on all levels it's there's no wrong way okay there's no wrong way wrong window I'm going Todd point no no no no it's your big fan it's actually wrong Wow okay well this is great thank you so much I appreciate this i'm glad that the hacker community and your people will be able to see this and maybe something can be done about it hopefully yep alright everyone at home thank you for watching make sure you subscribe to secure new TV follow us on twitter like us on facebook check out our instagram and thank you so much for watching I'm Alicia web secure ninja TV is brought to you by secure ninja calm a world leader in cyber security training and certification our master instructors will help build you into a highly skilled and marketable security professional secure ninja forging cyber security experts you
0 Comments