Take note: if I ever proposition you with some free mobile juice via a portable charger, don’t accept.
Over the last month, I’ve created chargers that try to brute force open Android phones by guessing the passcode. Then, with a handy bluetooth chip hidden inside, they let me control the compromised phone’s keyboard from my own Android.
The Budget model
My malevolent machinations were, almost entirely, a rip off of ideas of Seunghun Han, a security researcher who showed off his own so-called ‘PowerShock’ device at the Hack In The Box conference in Amsterdam earlier this year. He’s now open sourced the software required to create a rogue charger on Github (the software can also be used to hack into non-Android machines via so-called “BadUSB” attacks). He also provided me with a guide and plenty of assistance on how to emulate his PowerShock.
His ‘Iron-HID’ programs include a brute forcing tool, which simply guesses passwords going through all the combinations possible in a four-digit passcode, from 0000 to 9999, as well as firmware and an Android application that, when combined with a bluetooth module, allow a user to effectively take control of the keyboard on any device plugged into the charger.
How to put them together with finesse isn’t so simple, however, especially when you have limited hardware hacking skills. So, due to self-imposed budgetary constraints (i.e. spend and do as close to zero as possible) I first decided to create a Budget version of PowerShock that anyone could build. Downloading and running the software was the easy bit. A Teensy board (essentially a little computer) bought off Amazon for $25 can be quickly programmed, especially from a Macbook thanks to software that makes the “technical” process a point-and-click adventure. It took just a couple of minutes to get the Iron-HID brute forcing tool ready and primed.
I then found a never-before-used mobile charger still in its packaging and surrounded by other neglected nicknacks. Using a kitchen knife, I prized the thing open and ripped out the flat battery that was awkwardly glued into the device. As the Teensy had the same mini-USB connector out as the charger, I could simply glue the thing in. For added authenticity, I ripped off the other USB connector and stuck that in too. Put the case back on and voila: For less than $20, there was a pocket brute forcer ready to roll, almost no skill required.
Fire, fire, charger’s burning!
My Budget model would only do the brute forcing, however, and wouldn’t charge anything. Not wholly convincing for my would-be victims.
For the Grande model, I’d need the thing to actually charge. So with a serious dearth in soldering expertise and an acute fear of burning my hands off, I asked Andrew Tierney from U.K. security consultancy Pentest Partners to help put together a more substantial device. Another Amazon purchase later – this time a Xiaomi charger with Lithium-ion batteries – and Tierney had soon prized open the device with a utility knife, following Seunghun’s guide to soldering and glueing the Teensy board and the USB together.
The potential for an early cataclysmic end to the little project soon became apparent, though. After Tierney had snipped out one of the Xiaomi’s three batteries and soldered the pieces together, the area around top of the two remaining batteries started heating up fast. Tierney asked me to sniff, the result a smell that’s difficult to describe with any normal analogy; imagine breathing in the effluence from the Terminator’s dissolving body from that pit of molten steel and you’re some way to understanding the pong. We swiftly took apart the connections and put the gently-smoking battery outside to cool down.
Why such precautions? If you’ve never seen what happens when lithium-ion batteries overheat or are in some way disturbed by external forces, here’s a clip that will put you off messing with them for good:
Two more abortive attempts to safely connect the parts and a couple of trips to the garden later, we had a working charger that continued to give connected phones juice and would attempt to unlock them. It had the potential, however, to overheat again. Not exactly street-safe, but a working prototype nonetheless.
A few days later, I returned to Tierney’s workplace, having left him to create the Premium product (outsourcing, it’s the future!) with a Ravpower charger costing around $30. He’d done a stellar job without your reporter watching over him. In less than 72 hours, he’d created a bespoke cable (as described by Seunghun in his slides) and a safe, working machine. It contained a bluetooth module, purchasable for around $25, and glued it to the other side of the Teensy. Together, they would give me complete control over the connected phone’s keyboard via the Iron-HID Commander app for Android. Check it out in the video below, showing a Blackphone 2 taking control of a Moto G’s browsing:
Seunghun, meanwhile, had gone one step further, soldering in a second Teensy. His own PowerShock could both brute force devices and take over keyboards without any re-programming in between, whereas my now-Budget looking Premium model could only do one at a time. He also managed to take advantage of Google’s “hidden codes” in Android that allow certain functions, such as system reset and file deletion. Here’s his more impressive effort in action:
My PowerShocks could have been far more devilish than they were. Smarter hackers wouldn’t use brute force attacks. They’d load silent exploits of vulnerabilities deep in Android to break Google’s passcode protections rather than noisy attacks like mine, which give away clues that they’re doing something nasty. Why? Brute forcing is now prohibitively slow for hackers. Back when Google GOOGL +0.73% launched Android KitKat, it forced a 30-second delay after five guesses of a password. This makes brute-forcing any device an infeasibly long process where pass codes are more complex than 0001. Though it’s startling to think 20 per cent of Android phones in use are on pre-KitKat; that’s roughly 280 million devices, according to Google’s own figures…
Second, the level of control granted by the Bluetooth connection is limited with the firmware as it is. Currently it only acts as a keyboard. In theory, this could be used to direct the victim to a website serving malware for permanent remote infection. This is not simple, of course, and requires more skill from the hacker. But the firmware could easily be updated to automatically forward emails, photos or other data on to the hacker, both Seunghun and Tierney told me. And, again, it could load further exploits for quiet, prolonged infiltration.
Users should therefore take two lessons from this experiment: if possible, get a newer version of Android if you’re on pre-KitKat, and don’t use chargers from people you don’t know. They may have more malicious designs than first appears. If for under $50 and with minimum effort someone like me can create an evil charger, everyone would do well to consider such precautions.
This isn’t just a theoretical problem. Such is the concern around innocent devices being turned evil, the FBI put out an official warning in May about mobile chargers that can record keystrokes of nearby wireless keyboards. On this occasion, it’s worth taking the Feds’ advice seriously.