Category Archives: Android

Secure Messenger Scorecard (May 2017)

This is a draft.

I’m starting my own Secure Messenger Scorecard based on the prior work of the Electronic Frontier Foundation.

I’ve created an editable Google Doc for further input and development.

Please scrutinize and contribute by Signaling me, emailing me or tweeting at me.

version one

version two

version three

Hardware hacking the LG L15G Sunrise

sunrise_complete_2

The Tracfone LG L15G recently dropped to $10 at Walmart, so I picked one up. As expected, the hardware is incredibly simple and accessible.

During my (very easy) work on this, I kept thinking: Why would anyone spend $700 on a “secure phone” (Silent Circle) when I can spend $10 on this one and take the microphone and camera out? It really depends on which security feature we’re looking at, and in this case, with the LG, it’s hardware security. At the very least, Silent Circle should make it very easy to physically remove specific, high-risk sensors. This LG still has Rotation Vector and Accelerometer senors, and I don’t know where those are located. Even still, compared to my Nexus 6, this is an extremely simple device to “secure”.

Ars Technica reviewed the LG Sunrise. While they are quite right about how “cheap” it is, I got the feeling like they have no appreciation for easy to hack devices, especially ones as powerful as Android.

A review of the $10 Walmart phone—better than nothing, but not by much

Reasons to keep a $10 Android around:

The end result, achievable within 5 minutes of work, resulted in the removal of the microphone, the front-facing sensors, the rear camera, and the rear speaker. I could have taken out the primary earphone too.

Processor and Sensors

via “CPU-Z”

CPU: Qualcomm Snapdragon 400
Model: MSM8926
Cores: 2
Architecture: 2x ARM Cortex-A7 @ 1.19 GHz
Revision: r0p3
Process: 28 nm
Clock Speed: 300 MHz – 1.19 GHz
CPU Load: (CPU 1 idles at 300 MHz with the second turned off. Idle load was 10-20%)
GPU Vendor: Qualcomm
GPU Rendered: Adreno 305 @ 400 MHz
GPU Clock Speed: 300 MHz
GPU Load: (Idles at 0%)
Scaling Governor: on demand

Model: LGL15G (y25_trf_us)
Manufacturer: LGE
Brand: lge
Board: y25
Screen Size: 3.46 inches
Screen Resolution: 320 x 480 pixels
Screen Density: 166 dpi
Total RAM: 420 MB
Available RAM: (Idle, 150 MG (35%)
Internal Storage: 1.80 GB
Available Storage: 1.49 GB (82%)

Android Verson: 4.4.2
API Level: 19
Bootloader: unknown
Build ID: KOT49I.LGL15G10f
Java VM: Dalvik 1.6.0
OpenGL ES: 3.0
Kernel Architecture: armv7I
Kernel Version: 3.4.0+(LGL15G10f.1419269528)
Root Access: (I rooted this test device just to see if I could, but I don’t recommend it)

LGE Accelerometer Sensor
LGE Rotation Vector Sensor

The hack

The only tool that I needed to open up the phone and do most of the work was a simple crosshead screwdriver.

sunrise_screwdriver_2

sunrise_screws_2

The disassembly was trivial as I didn’t need any tools (after the screws were removed).

sunrise_fourpart_2

To disconnect the system board from the back of the LCD screen, just disconnect the top right (earphone) and bottom left (home buttons) cables.

sunrise_homebuttons1_2

sunrise_earphone1_2

The rear camera simply disconnects. The front-facing sensors needed a moderate “push” (with the screwdriver) to disconnect.

sunrise_camoff_2

The microphone needed a moderate “pull” (with the pliers) to disconnect.

sunrise_micon_2

sunrise_micoff_2

As the Ars Technica review mentions, the hardware is very simple. The system board demonstrates that.

sunrise_boardfront_2

The rear speaker was easy to disconnect simply by removing the connecting wires. I didn’t have a good reason to remove this speaker. In my defense, I didn’t actually know (or test) if there was another microphone here. Plus, the vibrator is still attached.

sunrise_backspeaker_2

After all this, the phone booted up without issue. Buy a headset and make end-to-end encrypted calls with Signal, with or without using cell service.

sunrise_reinserted_2

sunrise_backwithout_2

StageFright

Android 4.4.2 is pretty bad. Using Signal would help defend against Stagefright.

CVE-2015-1538
CVE-2015-3829
CVE-2015-3828 (not vulnerable)
CVE-2015-3864
CVE-2015-3827
CVE-2015-3876 (not vulnerable)
CVE-2015-6602
CVE-2015-3824
CVE-2015-6575

Apps I was able to disable

Browser
Calendar
Chrome
Cloud Print
com.android.providers.partner
com.lge.sui.widget
ConfigUpdater
Drive
Favorite contacts Widget
Google Backup Transport
Google Calendar Sync
Google Contacts Sync
Google One Time Init
Google Partner Setup
Google Play Books
Google Play Games
Google Play Movies & TV
Google Play Music
Google Play Newsstand
Google Search
Google Text-to-speech Engine
Google+
Hangouts
LG VoiceCommand Speech Pack
Maps
Market Feedback Agent
Mobile Device Management
Multitasking Framework
Music
My Account Downloader
Polaris Office
Setup Wizard
Stret View
TalkBack
Tasks
Voice Command
WAP Service
YouTube

Create an anonymous document drop with any Android

Honestly I have no idea why I didn’t think about this before. I’m sorry it’s taken so long. This guide will show you how to use any Android to host a Tor hidden service and send it files from anywhere in the world with SSH or SCP. I tested this with a Nexus 6 (shamu) running Android 6 but I will test this on Android 4.4.4 soon. Root is not needed, you could perform these steps on any Android. Play around with this. I do not currently have a lot of confidence (stability) in an Android (Wifi), SSHelper (app), Orbot (app), and Tor (circuit) hidden-service combination. But I’ll try this out on an extra Android and see if I can still access it after a week or so and update the post.

Much wow.

There are several amazing things about this setup:

1. Easy. It’s so easy, omg. Even securing the Android is super easy with this narrow of use case.

2. Cheap. Like, as little as $10 cheap, or, “can I have your old Android for free, please” cheap.

3. You could drop a burner Android, using any Wifi you can connect to, in so many places. And if you don’t have a wall outlet where it could sit and charge forever, you could have several days or weeks worth of uptime before it dies.

Guide

0. Buy a cheap Android in person with cash, you may prefer one with an SD card slot for additional storage. Go to a coffee shop you’ve never been that has free Wifi. Turn on your Android and connect to the public Wifi. Create a new Google account with an unattributable username and password. Put the phone into airplane mode then reactivate the Wifi. Disable any apps and services not needed (dependent on the device) then install any Android OS or app updates that are necessary. Ensure the Android’s storage is encrypted, and ensure that devices access requires a long passphrase for boot and for device entry.

Note on “buy any Android” — some burners that I’ve purchased before, like a $30 one from Verizon, forces you to activate the device as soon as you turn it on, making it extremely difficult to control any aspect of Android until phoning home to Verizon and activating with a phone number. If you want to be sure you don’t have to deal with carrier crap, spend a little more and go with an unlocked Moto E for $120. The 1st Gen and 2nd Gen Moto E’s conveniently support a 32GB microSD.

1. Download “Orbot: Proxy with Tor” (by: The Tor Project) from the Play Store. Open “Orbot”. Go into settings and scroll down to “Hidden Service Hosting” and enable “Hidden Service Hosting”. Tap “Hidden Service Ports” and enter “2222”. Back out of settings and long-press the power button to connect to the Tor network. Go back into settings then scroll down and tap “.Onion Hostname” to view your hidden service address. Document that address on your laptop with Tails or Torified SSH ready to go.

2. Download “SSHelper” (by: Paul Lutus) from the Play Store. Open the “SSHelper” app. That’s it. The default user is “admin”, default password is “admin”. The default ssh, scp, and rsync directory is your normal user’s home directory, which is one below the virtualized (or real) “SDCard”. I was able to connect with an ECDSA key pair.

3. Download “NetGuard – no-root firewall” (by: Marcel Bokhorst) from the Play Store. Open “NetGuard”. In the top right corner are three vertically aligned dots. Tap that button to enter into the Settings menu. Activate “Block Wi-Fi by default”, “Block mobile by default”, and “Manage system applications”. Click back to save the settings changes. Now scroll down and find “Orbot” and tap the orange Wifi icon (it will turn from a striked-out orange icon to a green icon) which will allow it to access the network over Wifi only. Scroll down a little bit more to “SSHelper” and tap the orange Wifi icon to give it Wifi access too. Now at the very top, to the right of “NetGuard”, tap the switch icon to activate your firewall rules. Accept (OK) the two prompts that follow.

Your Android is now ready to go.

4. From your Linux or OS X command line interlace (CLI), you should now be able to send it any files. It only took 22 seconds for me to transfer an 8 MB PDF:

scp -P 2222 bulletproof-ssl-and-tls.pdf admin@c3dznupj493fgtd5j.onion:.

Torify SSH (Ubuntu) for connecting to hidden service addresses

Install tor and openssh-client. Then:

sudo vim /etc/ssh/ssh_config

Add (under “Host *”)

proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p

Then:

sudo service ssh restart

Simple Android adb & fastboot management for Ubuntu

Desktop OS: Ubuntu 14.04, 15.04, 15.10, or Tails Linux
Device: Nexus (tested on 6 (shamu) and 9 (flounder))
Mobile OS: Android 5.1.1 > 6.0.1

Requires phone to be unlocked and USB debugging enabled in Developer options.


sudo apt-get update
sudo apt-get install android-tools-adb android-tools-fastboot

sudo su
adb devices
adb reboot bootloader

fastboot erase system
fastboot erase all

fastboot flash bootloader bootloader.img
fastboot reboot-bootloader
fastboot flash radio radio.img
fastboot reboot-bootloader
fastboot flash system system.img
fastboot flash userdata userdata.img
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot erase cache
fastboot flash cache cache.img
fastboot reboot-bootloader
fastboot oem lock
fastboot reboot

1 http://forum.xda-developers.com/nexus-6/general/guide-flash-factory-images-nexus-6shamu-t2954008

2 https://developers.google.com/android/nexus/images?hl=en

Using Google Fi for a relatively private phone service

Created 2015-Aug-24
Updated 2016-Apr-19

In this post I’ll discuss ways to leverage the new Google Fi service in ways that are possibly more secure or more private when juxtaposed to regular AT&T, Verizon, Sprint, or T-Mobile phone service. Good planning and good practices can help people who are sensitive to physical location data sharing avert certain kinds of passive surveillance and in turn may prevent future active surveillance. While this information may be useful, it is not intended to solve your specific needs. You are ultimately responsible for understanding why you are performing these actions and non-actions.

Regarding SS7 attacks, the common way for such attacks to work requires that an attacker know your real cell phone number. Google Voice numbers are not vulnerable to these attacks. The same could be said for a landline phone number or any VoiP number like Skype.

Regular, long-term cell service wrongs:

  1. Requires government issued ID, which basically means connecting your government issued identity to a SIM card and other hardware identifiers.
  2. Requests (and at times requires) a Social Security Number, which also, basically, means connecting your government ID to hardware IDs.
  3. Requests the availability of voicemail, a service that is remotely accessible and is unlockable by a simple 4-digit pin code.
  4. Does not support two-factor authentication for access to sensitive account information.
  • Google Fi does not ask for identification, period. It is also possible to use prepaid credit/debit cards. As of April 2016, the Google/LG Nexus 5X is the cheapest phone, and you can buy it online or from a local retailer. Related notes: AT&T locks the SIM, so you can’t use an AT&T Google Nexus until AT&T (or a third party service) gives you a SIM unlock code. T-Mobile does not lock the SIM.
  • Voicemail is also an option with Fi. Fi support has stated that “Once you have set up your voicemail with Project Fi, it is impossible to turn off your voicemail,” and, “It will not be turned on until you activate it.” However, I presume that once Fi voicemail is activated, it is remotely accessible like regular voicemail service. If you perform the below steps, you will have no use for Fi Network voicemail, so don’t activate it.

Steps

The following configuration utilizes Google’s Hangout Dialer app that you will install and leverage on your Google Fi Nexus. The Hangouts Dialer will be able to make and receive all calls and texts using a Google Voice phone number. Two Google accounts are needed.

If your personal Google account has Google Voice presently, you will be forced to either give up that number or make it your Google Fi phone number. Either way, you will lose Google Voice functionality completely and is why a second Google account is needed.

  1. Register for Google Fi service using Google account #1 including ordering a new Nexus 6, 5X, or 6P.
  2. Do not share your Fi Network phone number. With anyone. Not your friends, family, or any services. Period.
  3. With Google account #2, register a Google Voice phone number.
  4. Download Google’s Hangouts Dialer. Google account #1 will automatically log in. Log in with Google account #2 (the Google Voice account). Then sign out from Google account #1 — only sign out in the Hangouts Dialer app, not from the Nexus completely.
  5. Configure Hangouts Dialer as follows: Settings > Enable merged conversations (yes), > account2@gmail.com > Incoming phone calls (yes), Messages (yes), > Customize invites > People who have your phone number (can contact you directly).
  6. Give out your Google Voice number to friends, family, and services. Calls and plain SMS will come through in the Hangouts Dialer app.
  7. Always make calls with the Hangouts Dialer app so the receiver’s caller ID shows your Google Voice number. It is best to remove the regular phone dialer app from the Android system tray and replace it with Hangouts Dialer.
  8. Added security

    1. Employ Google Authenticator two-factor authentication (2FA) for both accounts as soon as possible for better security. Avoid SMS 2FA because of the inherent vulnerabilities.
    2. Download Signal onto the Nexus and register your Google Voice phone number in Signal. While Signal will open up showing the real Google Fi phone number, delete it and enter the Google Voice number. The SMS verification will fail, so wait for the 2 minute countdown to expire then click “call me” for automated voice verification.
    3. Through the Google Voice web interface, optionally create a voicemail greeting that requests people to install and call back with Signal. Enabling “do not disturb” will enhance this goal because then nobody can call you and can only leave voicemails.
    4. If you haven’t already, talk to your friends and family about our need for privacy and security and inform them about Signal.

    Added anonymity

    The following are added steps in case you wish to also have probable anonymity to the service providers, in this case, Google, Sprint, and T-Mobile:

    1. If anonymity from the cellular provider is your goal, you’ll need to use cash to buy a Nexus 6, 5X, or 6P from a local retail location with cash and a prepaid debit card for monthly service. If you go this route, you will still need to order a Fi Sim Kit from Google with Google account #1 and have it shipped to you. If anonymity is your goal, consider renting an AirBnB or a hotel room using a pre-paid debit card and alias during the window of delivery.
    2. During registration for Google Fi service, account registration will require a “service address”. Use the above mentioned AirBnB address or be creative. You can always change the service address at a later date. All billing is electronic.
    3. You can consider not using your Nexus phone in any anchor points, including home or work. To do this, you would need to keep the device turned off at all times except when out and about. This makes it harder for service providers to identify you, but keep in mind that Google, Sprint, and T-Mobile can see network metadata and they can always record your voice when not using Signal. It’s still a tracking device with a microphone and camera!
    4. Consider removing the microphone and camera.

    Creating Google accounts

    Use an Android to create one or more Google accounts (Settings > Accounts > Add account > Google). Creating new Google accounts this way does not require the creator to enter in an existing email or phone number. Creating new Google accounts while using Tor will result in an account auto-lock. However, once an account is setup with two-factor authentication, you can log in via Tor Browser or Tails elsewhere. If you are trying to stay anonymous to Google, you’ll have to use a new Android (device IDs never before used by your real identity) and turn it on at a location far from any of your anchor points. Keep in mind that Google will know where your Fi device is when using the Fi network, but depending on your preparation/operational security, will not know the identity of the user.

    In retrospect

    Google, in addition to sporadic use of Sprint and T-Mobile network infrastructure, will be the only ones who know the identity (phone number and hardware IDs) of the subscriber. But you have much better control over defining the data and information that is linkable to this service.

    1. Adversaries can’t “ping” your cell phone if they can’t determine what your phone number is. However, if they run around your house with an IMSI catcher, it will not be hard for them to determine what number you’re using for service. It’s good practice to activate airplane mode when you enter into your home neighborhood, especially if your friends and family predominantly use Open Whisper Systems apps (Signal).
    2. Remote adversaries can’t track your physical location via possible SS7 vulnerabilities if they don’t know your real phone number.
    3. Network adversaries (telecommunication corporations or federal/local governments) can still inject or monitor your activity to “better service you” (sell your data to advertising networks), but unless they can connect that activity to a known identifier, you, personally aren’t vulnerable to said forms of surveillance.
    4. Network adversaries may employ voice recording and recognition technologies. The employment of said technology will only increase since it is a biomarker that financial institutions have started using for account verification purposes. If network adversaries are using this technology, there is no way to hide a real phone number or hardware device IDs from them unless you step up your paranoia and use a voice changer. Using Signal (end-to-end encryption) will mitigate only the voice print vulnerability. You will always divulge your hardware device IDs to a cellular network when using cell service.
    5. Endpoint adversaries (medical offices, food services, financial services, friends with or without Signal, etc) may also employ voice recording and recognition technologies. If you make calls using your Voice number (caller ID) to endpoint services, doing so will make it hard or impossible for a third party to link your personal ID to hardware ID.