Jump to content


Photo

Cerberus anti-theft app has exploit allowing access to any device

cerberus exploit anti theft IMEI

  • Please log in to reply
4 replies to this topic

#1 eyecre8

eyecre8

    Mod/News Team Leader

  • Moderator
  • 108 posts
  • Google+:eyecre8
  • LocationOhio/Florida
  • Current Device(s):2 Razr's (xt912) & Asus TF700T

Posted 19 August 2013 - 08:33 AM

Please Login or Register to see this Hidden Content

 

Please Login or Register to see this Hidden Content

  131.57KB   44 downloads 
 

Please Login or Register to see this Hidden Content

is a popular anti-theft application for Android devices (listed as one of the to 50 best android apps of 2013).
 
It allows you to remotely control your device if it has been lost or stolen. Features include: 
  • locate/track your device
  • start alarms
  • get a list of recent calls
  • download SMS messages
  • take pictures
  • record video
  • record audio
  • + many other features
all of which can be done discreetly without the “thief” knowing so you are tracking your phone down in attempts to recover it. Really cool and useful features right? A recent security hole found in the application could allow anyone access to your device and the ability to listen to your conversations among other things.
 
Like most applications You use a username and password to authenticate with the Cerberus servers. The problem here lies with what’s happening on the back-end. When you login with your username and password the Cerberus API replies back with a “device ID” which is a seemingly random 15 digit generated number, almost like a sessionID cookie. This id is then used in subsequent requests to “authenticate” you. Further investigation reveals that this number is your device

Please Login or Register to see this Hidden Content

number and NOT a randomly generated session token.
 
Breakdown of an IMEI number:
IMEI numbers are not distributed uniformly at random. The first 8 digits of an IMEI represent the Type Allocation Code (TAC), which is determined by the model of the phone. For example, on a Samsung Galaxy Note 2, the first 8 digits of the IMEI are 35362705. Although this is the most significant portion of the IMEI number, it is not private information. Knowing the model of a phone 
(or guessing the model) is sufficient to guess most of an IMEI number. After the 8-digit TAC there are 6 digits that uniquely identify the specific device. These 6 digits are the only digits that are difficult for an attacker to guess. After those 6 digits, the last digit is a Luhn-checksum digit, which is computed as a function of the first 14 digits. Thus, in a 15-digit IMEI number there is a relatively low amount of randomness.
 
The attack:
You can easily generate 106 (1,000,000) numbers within seconds, it’s verifying them that takes time. To verify that an IMEI # has been registered with Cerberus on their system you have to fire off an HTTP request. You can typically send 14 verifications a second in a single thread. One could verify ALL IMEI numbers for, for example, a Samsung Galaxy Note 2 within 15 hours. The author managed to randomly generate a bunch of IMEIs (with the Note 2 TAC) and verify his own IMEI within 2 hours. When “verifying” an IMEI number the Cerberus API kindly returns back the username and SHA1 hashed password associated with that device = PROFIT!
 
So you have an encrypted hash. You could run the password hash through a rainbow table but that would take a while. Besides, Cerberus has made it much easier for us. When you reset your password via the Android app it sends a request with only your device ID (IMEI) and new password. No username or old password are asked to verify who you are. When you've updated the password for the account associated with that device you can login via the Cerberus dashboard and control the phone as if it were your own. Again, the author has successfully tried this out on two of his android phones with trail accounts.
 
The Fix:
Shortly after being notified of this exploit, the application owner promptly fixed the issue server-side. He also stated a new version (Version 2.4) of the app will also contain the fix.
It is advised to verify you are running the most up to date (patched) version as well.
 
 
Via: 

Please Login or Register to see this Hidden Content

Please Login or Register to see this Hidden Content

Please Login or Register to see this Hidden Content

 

 

 

 


  • neckchop and satman80 like this
My name is Eyecre8 and I approve this message!
Posted Image

#2 livinginkaos

livinginkaos

    I don't know what I'm doing anymore.....

  • Administrator
  • 15,282 posts
  • Google+:Hangouts - livinginkaos@gmail.com
  • LocationOregon
  • Current Device(s):Samsung S8+ / Pixel XL 128gb / iPhone 7+ 256gb / iPad Pro 12.9" / Samsung Chromrbook Plus / Pixel C / Nexus 6p 128gb / Nexus 6 / Nexus 6 on Fi / Nexus 9 / Moto 360^2 / Nvidia Shield TV Pro / Nvidia Shield Tablet / HTC EVODesign on FreedomPop / Chromecast / Surface Pro 3 i7 / Samsung Tab Pro 12.2 / Lenovo Win8 Tab / Eee Slate / '13 Nexus 7

Posted 19 August 2013 - 08:46 AM

Once again, nicely done eyecre8 !! From My S4 Dev Edition
  • eyecre8 likes this

b2wvCBn.png

Sig by livinginkaos
Samsung S8+ / Pixel XL 128gb / iPhone 7+ 256gb / iPad Pro 12.9" / Samsung Chromrbook Plus / Pixel C / Nexus 6p 128gb / Nexus 6 / Nexus 6 on Fi / Nexus 9 / Moto 360^2 / Nvidia Shield TV Pro / Nvidia Shield Tablet / HTC EVODesign on FreedomPop / Chromecast / Surface Pro 3 i7 / Samsung Tab Pro 12.2 / Lenovo Win8 Tab / Eee Slate / '13 Nexus 7


#3 sparky697

sparky697

    Droid Elite

  • Members
  • PipPipPipPip
  • 1,093 posts
  • Twitter:sparky697

Posted 19 August 2013 - 08:55 AM

Wow. I wonder how many people were affected. Nice to see them respond quickly with a fix though.

Sent from my GT-I9505G using Tapatalk 2



#4 eyecre8

eyecre8

    Mod/News Team Leader

  • Moderator
  • 108 posts
  • Google+:eyecre8
  • LocationOhio/Florida
  • Current Device(s):2 Razr's (xt912) & Asus TF700T

Posted 19 August 2013 - 09:07 AM

Wow. I wonder how many people were affected. Nice to see them respond quickly with a fix though.

Sent from my GT-I9505G using Tapatalk 2

 

I noticed on the Google play site that they claim  "1,000,000 - 5,000,000" installs.

All in all, the program seems to be a solid app with great reviews.

It definitely sounds like a useful application with a relatively low price for the full version ($3.99).

And as Sparky stated, they took action on the flaw quickly once reported.  =)


My name is Eyecre8 and I approve this message!
Posted Image

#5 cmh714

cmh714

    Tech Service & Beyond

  • Smod
  • 3,272 posts
  • LocationSoCal
  • Current Device(s):Nexus 6

Posted 21 August 2013 - 07:10 AM

Another excellent write up from eyecr8!


  • livinginkaos and eyecre8 like this





Also tagged with one or more of these keywords: cerberus, exploit, anti theft, IMEI

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users