Please Login or Register to see this Hidden Content
is a popular anti-theft application for Android devices (listed as one of the to 50 best android apps of 2013).
It allows you to remotely control your device if it has been lost or stolen. Features include:
- locate/track your device
- start alarms
- get a list of recent calls
- download SMS messages
- take pictures
- record video
- record audio
- + many other features
all of which can be done discreetly without the “thief” knowing so you are tracking your phone down in attempts to recover it. Really cool and useful features right? A recent security hole found in the application could allow anyone access to your device and the ability to listen to your conversations among other things.
Like most applications You use a username and password to authenticate with the Cerberus servers. The problem here lies with what’s happening on the back-end. When you login with your username and password the Cerberus API replies back with a “device ID” which is a seemingly random 15 digit generated number, almost like a sessionID cookie. This id is then used in subsequent requests to “authenticate” you. Further investigation reveals that this number is your device
Please Login or Register to see this Hidden Content
number and NOT a randomly generated session token.
Breakdown of an IMEI number:
IMEI numbers are not distributed uniformly at random. The first 8 digits of an IMEI represent the Type Allocation Code (TAC), which is determined by the model of the phone. For example, on a Samsung Galaxy Note 2, the first 8 digits of the IMEI are 35362705. Although this is the most significant portion of the IMEI number, it is not private information. Knowing the model of a phone
(or guessing the model) is sufficient to guess most of an IMEI number. After the 8-digit TAC there are 6 digits that uniquely identify the specific device. These 6 digits are the only digits that are difficult for an attacker to guess. After those 6 digits, the last digit is a Luhn-checksum digit, which is computed as a function of the first 14 digits. Thus, in a 15-digit IMEI number there is a relatively low amount of randomness.
The attack:
You can easily generate 106 (1,000,000) numbers within seconds, it’s verifying them that takes time. To verify that an IMEI # has been registered with Cerberus on their system you have to fire off an HTTP request. You can typically send 14 verifications a second in a single thread. One could verify ALL IMEI numbers for, for example, a Samsung Galaxy Note 2 within 15 hours. The author managed to randomly generate a bunch of IMEIs (with the Note 2 TAC) and verify his own IMEI within 2 hours. When “verifying” an IMEI number the Cerberus API kindly returns back the username and SHA1 hashed password associated with that device = PROFIT!
So you have an encrypted hash. You could run the password hash through a rainbow table but that would take a while. Besides, Cerberus has made it much easier for us. When you reset your password via the Android app it sends a request with only your device ID (IMEI) and new password. No username or old password are asked to verify who you are. When you've updated the password for the account associated with that device you can login via the Cerberus dashboard and control the phone as if it were your own. Again, the author has successfully tried this out on two of his android phones with trail accounts.
The Fix:
Shortly after being notified of this exploit, the application owner promptly fixed the issue server-side. He also stated a new version (Version 2.4) of the app will also contain the fix.
It is advised to verify you are running the most up to date (patched) version as well.
Via: