44CON 2014 - Researching Android Device Security with the Help of a Droid Army, Joshua J. Drake
In the last few years, Android has become the world’s leading smart phone operating system. Unfortunately, the diversity and sheer number of devices in the ecosystem represent a significant challenge to security researchers. Primarily, auditing and exploit development efforts are less effective when focusing on a single device because each device is like a snowflake: unique.
This presentation centers around the speaker’s approach to dealing with the Android diversity problem, which is often called “fragmentation”. To deal with the issue, Joshua created a heterogeneous cluster of Android devices. By examining and testing against multiple devices, you can discover similarities and differences between devices or families of devices. Such a cluster also enables quickly testing research findings or extracting specific information from each device.
Introduction – about me and why I did this work
Building a Droid Army – about the hardware design, acquisition, costing, etc
Doing your Bidding – the tools, maintenance tasks, required software, conducting security research/testing, with examples
Conclusion – key take-aways
Q & A
The initial design was pretty simple
I got a big ass hub, and set out to get some devices…
I didn’t know what I was doing at first.
This slide is the culmination of over a year of trying to buy Android devices cheap.
NOTE: Damaged phones must have working LCD, digitizer, and USB
Acquiring Android devices will be, by far, the biggest expense.
I want to take a quick second to thank these people.
If you’re in the room, stand up and take a bow.
We owe you a round of applause for your help during this research.
I started out fairly modest using a couple of my own old devices.
On top of those, I got a few other devices donated to the cause.
Also pictured is the Manhattan Mondo Hub
It’s a 28 port hub, but has some issues that we’ll get to in a bit.
For one, plugging it in and running “lsusb” showed internally it was just several hubs cascaded
In October, I started getting serious. I organized things to make room for plans to buy some more devices from eBay.
I also bought a ton of USB cables from Monoprice (YAY MONOPRICE!)
A couple of development boards were added to the collection (Origen Quad and Pandaboard)
This picture shows what I call the 1.0 version.
I really started to see the benefits of having a wide range of devices accessible.
At this point all of the ports on the MondoHub were full.
I even added another small hub to feed more devices.
One of the “Android TV” devices gave up randomly, apparently its flash memory failed.
OH NO! The MondoHUB died!!
I always had a feeling this was going to happen.
I frequently had issues with devices falling off. I’d have to go physically replug them, etc.
It turns out the 4A power supply isn’t really enough to cover 28 x 0.5A (LOL?)
Maybe that explains the black mk802 rolling over too, heh.
In any case, I cobbled some stuff together to get back up and running…
Unfortunately, this setup reduced the max devices from 35 to 19 :-/
I had to take around a dozen devices offline.
To make matters worse, devices acquired in the interim couldn’t be used.
The new hubs seemed much better overall, so I started working a version 3.0 design to address previous issues…
This issue was something I was noodling on since August.
When I added the small hub, I realized I needed to think of a more long term solution as I acquired more devices.
I sought out to determine what the real/practical limits of USB were.
After some crowd sourcing and reading, I found out the limits and put together a plan.
This is what I came up with as an optimal solution.
It reaches the max of 127 devices with 19 hubs and lets me use 108 (!!) USB devices!
Time to order parts again!!
I don’t have 108 devices, so I didn’t go for the full build.
I just wanted to get my 42 devices online, so I ordered enough for that.
Total cost for this order was around $400.00
NOTE: A 6ft cable can really help if you want to work closely with a device.
This is so you can sit at your desk and not have to unplug it from its normal spot.
Once the devices arrived, I went with the design shown here.
However, I quickly ran into another problem!
As you can see, I could only use 3 of 6 outlets on the strip :-/
In December 2013, I did some research looking for a solution to this issue
Ultimately, found out that Bitcoin miners had ran into this issue as well.
Their solution was to use an ATX power supply with custom cables.
Basically they just put barrel connectors onto the 5V wires coming off the power supply.
I had an old 350w power supply lying around.
I confirmed it could supply up to 35A on the 5V rail, and went for it.
The most tedious part was crimping the molex pins. Still, it only took about 2 hours.
This would probably be easier if you have the crimping tool instead of using needle nose pliers + solder like I did, heh.
This is one of the cables after assembly.
Next I went ahead and plugged in my ATX power supply and wired everything up.
Here’s the power setup wired up.
To turn the power supply on, you have to short PS_ON to ground on the motherboard connector.
This simulates a power switch. Of course you could wire in and use a legit switch instead.
If you don’t want to build this yourself, the bitcoin forum OP was selling cables. Not sure if he still is.
Certainly not the only solution, just the one I’m currently using.
Duplicate devices can be used to run different firmware versions
More host adapters partially solves the USB dilemma, but isn’t tested and has limited utility. Requires host machine disassembly
Will run out of PCI-X slots pretty quickly
Exposing connected devices to Ethernet using a small pass-through box should solve it entirely.
Not don’t yet, planned for future
After everything was wired, I started wiring up the devices and setting them out on the table.
I took this picture just after making sure everything was live and working.
And here’s what this droid army looks like today.
The tools are ruby scripts that wrap adb, so only two requirements: Ruby and ADB
Although simple, these tools are quite powerful
The minor patch is for convenience only.
It changes the home directory and terminal size when connecting to an ADB shell
Just push to /data/local/tmp, don’t “install”
Keeps devices clean!
Key take-aways from this presentation.
Duplicate devices can be used to run different firmware versions
More host adapters partially solves the USB dilemma, but isn’t tested and has limited utility. Requires host machine disassembly
Will run out of PCI-X slots pretty quickly
Exposing connected devices to Ethernet using a small pass-through box should solve it entirely.
Not don’t yet, planned for future
Biggest cost is the devices themselves ($0 - $800 ea)