Many Android smartphones come with debug ports open for remote connections.

xakep.ru

2 min

June 13, 2018

View Original

We recommend reading:

Well-known information security specialist Kevin Beaumont warned that many Android smartphone manufacturers leave the  Android Debug Bridge (ADB) functionality enabled by default, which exposes devices to danger, including remote ones. The fact is that the ADB over WiFi option allows developers to also connect to the gadget via Wi-Fi, without using a USB cable.

In general, this problem cannot be called new. Back in February 2018, Qihoo 360 Netlab analysts discovered the ADB.miner malware , which scanned the network for devices with open ADB debug ports (most often port 5555). Since not only smartphones and tablets are running Android, for example, smart TVs and various TV set-top boxes were also infected.

Now Bomond drew attention to this problem, who tried to understand how many such devices are. The fact is that in many gadgets out of the box the ADB over WiFi functionality is active, which their owners, as a rule, do not even know about. At the same time, a remote connection to the gadget in debug mode guarantees the attacker root rights and the ability to covertly install any malware on the device and execute any code. Everything does not require any authentication or password.

The researcher writes that this problem is relevant for countless devices that are easily found online. While investigating the situation, the specialist was able to find a variety of problematic devices, from DVR systems in Hong Kong, to mobile phones in South Korea and tankers in the United States.

Since the expert's publication attracted the attention of the community, experts began to respond to the problem. So, the Shodan search engine added the ability to search for devices with an accessible Android Debug Bridge interface. Now the index of such gadgets is growing rapidly every day. Bomond found over 80,000 problematic devices in China alone.

Update: Shodan have now added support for Android Debug Bridge, and crawlers are now running. Will take a while to update. ? pic.twitter.com/rlU0I3XzNm

— Kevin Beaumont (@GossiTheDog)

Also, Beaumond's colleagues and Qihoo 360 experts have already published new data on the aforementioned ADB.miner malware, which turned out to be still active. In the last month alone, more than 30 million scans have been recorded.

@GossiTheDog inspired me to take a look back at the ADB.Miner worm, which I've been fingerprinting on February. It seems that it lives and it feels pretty well. I've checked out two days (4th, 5th of June) - about 40 000 unique IP addresses. I'll provide some deep analysis soon. pic.twitter.com/HZcTkMPW5o

— Piotr Bazydło (@chudyPB) June 8, 2018

It is worth noting that the situation is complicated by the existence of a special module for Metasploit, which helps to automate calls to Android devices on port 5555.

Currently, experts recommend that all owners of devices running Android check if their manufacturer has left the ADB interface available by default. Bomond also advises blocking incoming connections on port 5555 for user devices, which will help make most scans useless.

Просмотры: