The Little Phone That Could Ch-ch-chroot

so thank you very much for coming my name is Jack Rudy Jones I'm University South Wales and I got to that man so all my presentations about is how we can actually make a little phone this is all for 2999 Mazdas to do some interesting and weird and wonderful things that can be useful for red teaming and investigative journalism or various other areas but on a sort of shoestring so you don't need to break the bank to the ff8 you're right teaming engagement go through the room so like I said my name is Jerry Jones so I also go by exa I'm from the University of South Wales and doing my PhD in security operations and I teach the

arcane art that PHP is bhavish quite a lot of my students didn't like and then the other guy that was supposed to be here Matthew Evans is a security researcher as well and he goes by monk some of you may know him already and if you want to see our blogs roll a lot so what what is this talk about well it is about this little phone and the process that we've done to be able to develop her and reasons why we got to this point and then what we've actually gotten it and the end goal here and the hurdles that we've done so with me a monk there's always a question of can we

stick Debian on a device and we've got pretty successful at that point in doing yeah we can put Debian almost anything other than a Cisco router because they just don't like us so we thought could we actually put Debian on for a phone well that's been done quite a lot already if you've seen how Dean at Hunter that's the Debian base and they use chroot and CPI OS to be able to do to them and the problem is when it comes to actually doing something a bit more covert or sneaky it having that hunter becomes quite expensive and it's quite noticeable you need a fairly powerful device like the Naxos which can set you back quite

if if you're doing a red team engagement if you like an SME example so we thought how do we sort of make this a bit better how do we improve this we came into quite a lot of hurdles at this point and a lot of the time SELinux was one of the causes that stopped us carrying on our development because you can't actually stop it from working selinux will always be on on the phone it says passive but it's still running and it'll still stop you from doing weird wonderful things and then one of the common friends that methods to be able to detect the phone and be able to interact with the phone in an investigation is using what's

called the ADB bridge so for anybody that's done it before may know the ADB bridge is just a common port where you can connect to it it'll and give you the underlying operating system like if you connect into like an SSH for example so our aim was to be able to disable that both permanently but also remotely being able to embark on a lot and then adding further functionality and anti forensics because we want our device to be able to help those investigators and red teamers but if they're caught you don't learn to be that risk in a situation where they could be compromised and it could ruin the entire right team engagement or it

could ruin a sort of investigation that they're doing and then the other point is that with storage limitations you don't want because most IOT devices and mobile phones limit on storage you'd want to take up a massive amount of data which could be spent on doing like videos or photos or recordings and then we also want it to be affordable that was these are pretty much all the main goals so we came to the ideal scenario so this is an Alcatel pixie fall I think if I remember rightly which is full Android device you can take pictures you do all the kids it's cheap I got it from Asda at $29.99 it's how you deniable

people have two phones these days I mean you could raise a flag saying why we got this tree really open but and then it's easy to root so it was a proof of concept it makes a really good way of doing something it's really easy to use it's quite intuitive and it's also running Android so there's there's the ideal scenario that's why we came to this firm is our our main goal so our first process was right Debian is massive what can we do to make it a bit smaller so what we've done is use tiny core so tiny core comes in three or four different components which are all ranging from about eight Meg to

15 Megan sighs so you immediately go away from this one gig size Debian image that you would have in Kali Linux for example so now have been a really small operating system which you can then hide into the actual phone's memory without causing degradation aggradation on the actual phone in the long run and then the next part is that we use a cpio to be able to load and add this in content to our phone so in here we've got a 32 Meg operating system with Python a VPN a network stack and a few more wonderful gadgets involve as well and then what we can also do is say right we've got our small L package what can we do to be

able to just apply it we don't want people to become a software developer just to be able to do a red team engagement or just make your phone quickly so we build scripts to be able to just you buy your phone you plug it into your laptop you run the script you can have got a red teaming device or you've got some form of covert device they can use but then we've also allowed to be able to have a remote operator on the back end so if you're walking around taking pictures or using the functionality of the phone you can have a remote operator in the background and then with the cpio we can get all these tools and we can do

some weird and wonderful compression in the fat in in the states to deal with forensic analysts so one of the things that we is that G said compression makes it really interesting to stop data carving which is a common practice in forensic analysis and then mobile but then because it's also read-only if the phone is restarted it dies anything that was saved on the phone is then taken off so if you taken pictures which is saved into this operating system if you get caught or phone inevitably does die although images that have been destroyed so if you do get caught there's no actual evidence of you doing anything wrong so and I've talked about this this

little operating system and what we've done is used what's called Satan mod 13 so we've modified the phone to be able to do this Ruta cool device we've side-loaded it with the the fact that quite commonly a lot of people will either run different operating systems like a bunch of touch lineage which is the increase of it and sailfish and it's quite common to see this so if anybody does say why if you've got two operating systems on your phone or why is your phone not using Android or Linux you can say well I like to run two things at the same time every one deal boots at some point Walla and so we get that level of

deniability that way and then we can actually start developing our functionality because we've side-loaded this operating system we can still use the Android device we're not actually mangling any of Android so much to make it non usable because we actually wants people still use the phone so well almost what we're doing is almost making a wrapper around Android to be able to further our pause so some of the functionality that we've used and devout is USB tethering so if you're walking around a building for example a lot of the time people say can I just charged my phone and it's quite common question but what is interesting is you can plug the phone in and the the device will

actually say it's charging but what's actually happening is you're actually adding a new network adapter end of the server or your desktop and it'll start riru ting traffic straight through the actual device out through a 4G SIM and then to whatever VPN pocket actually got the back end of your your network we've also got the VPN because we want all our data that's being exfiltrated to be all encrypted we don't want to see people and like friends investigators to say they're taking out three images that they're taking on day X so that's how a process for that we've got a gesture reader as well so what we actually do is we've got Python sitting in this site loaded okay us and it

listens for the API is within the Android device so if you go across the screen for example it'll say oh that's hit these points in the screen let's take a picture but when it does that the flash is then disabled the screen doesn't light up or anything so you could just go like that you could be taking those pictures or you could be walking around with your arms T sights taking videos and turn the microphone on record and then finally be about the photo as well so one of the things that we found is that when it comes to forensics quite a lot people try and do anti forensics and it's quite hard and one of the main things we find is

there's about three or four generic steps when it comes to aunty forensics or our forensic investigation sorry and the first one saying right when it comes to demonstrating a a an investigation we need to first be able to get two images that we can work on so the first image will say right we've got all this data with a like a checksum or hash and then we take the second image and then compare so our hashes should be the same because our device is hidden in RAM when it's loaded we can actually start editing parts of dead memory within the phone so it starts to disable that part of the integrity track so you won't ever

get the same type of image or the end goal so when it comes to doing say a quarterback or investigation and you peak orbit phone that images will never marry so you get that level of deniability again and this is a similar theme all the way through the phone yet the second part in an investigation is then do a live analysis and that comes down to using things like cell right or other phone tools which always apply to actually use the ADB bridge but like I said earlier we actually disable the ADB bridge from the outset because there's a remote operator we can actually disable and re-enable the ADB bridge as you want so you can start actually attacking the

forensic investigator remotely if they're not using a priority cage and we can start playing with some of our tools when you're trying to connect with us so you can actually start being quite offensive in the long run and then finally when it comes to the last part on investigation if you can't actually find anything on the device because there might be some form of protection in the long run and you you've done your imaging and it doesn't marry up you end up doing a destructive analysis so we actually take the be the chips off the back and we try and read the memory on it but we go for a bit more of a caveman

approach in that quite a lot of people don't actually think about taking the back slowly off so we actually glue the back of the phone or the back of the chips to the back of the phone so when you actually pull back the phone off all the chips rip up and now you've just lost all in all your integrity of a device so a game over at that point so it was a bit of a caveman approach we got a bit of a bit more of an intuitive way a bit more interesting way and then our caveman approach to really end it yeah so I've got a video here hopefully so what this is is taking a remote

picture from the phone without actually changing the other devices Rhonda so of SSH into the phone whoo

hey I forgot I was looking at myself so I searching into the phone now I'm connected to the phone we've got five scripts ones are disabled the a degree one to enable one to the phone and then we've got the USB Ethernet field back you generate a remote connection so what I'm going to do first to show that there is no images on the actual phone so this will go into the actual operating system the Android operating system will check for any device any pictures and then we run the the photo script which wraps around the actual Android VP is so now we've taken an image we've stored it into our slide loaded operating system

so at any point it doesn't actually hit the Android device so it's now stored in our read-only file system at that point or close to it anyway so there's no actual end goal for the Android device to be able to store this in that actual operating system and if any point we just want to get rid of these images we can either remotely take it off so if you have a remote operator or we can actually just turn the device off or wait till we get home to be able to either a get the images or delete the images so and then and then intentive our anti forensics type attacks so this one is to compare the ADB bridge and how

we actually generate the connection so but again and your that associations of phone I call me scripts so I'm going to check to see if any ADB devices are actually connected to my laptop says no even though it is so I'm going to Nabal it I know I can connect to the phone again so I've got my actual standard ADB in action so I can connect to the device with a shell I can start enter item in the back end of the device but ones if I actually just don't want this to ever happen so someone actually tries to generate the the ADP bridge connection on the on the phone itself by plugging the developer screen over and over again

what I can actually do is start saying right okay let's let's turn that off by just disabling the ADB and now we've disabled ADB so devices like cell right won't be able to connect to the device anymore so we can now start to play with the investigator in the long run so what we have we've got an extremely small operating system where we can see that it fits into memory without actually compromising the overall Android device so you can still use it to make calls it still uses all the standard operating system that you would see it doesn't lock out place when you look at it in person the entire operating system is also hidden in the back of a file so if

you look in for the actual operating system the GZ compressed image is sitting at the end of another file so unless you know where to look it's quite hard to see why where to begin which is always a bit of a paradox and then we can actually load and hide the running operating system or into the memory of the device which is quite important because we just want to die we have a core and then we can also wrap all of our functionality using Python all the way around all the Android devices so we can actually turn the microphone on we can mess around with the gesture readers like we've just done and there's so much

more you did so one of the things that became apparent is we there's a lot to be done in this operating system in that we've got things like Kali now hunter which is just the standard approach to doing so embedded device Tim's a pen testing where you've got this device you've got hand testing tools you get to go but there hasn't been a lot in terms of what other things can due to the fear that this cause so throughout this it's been apparent that selinux is really not your friend when you're doing development in mobile or or embedded devices at any point if you're using Android and then there's particular areas in memory within the

Android device and I'm sure there is in other operating systems as well where you can actually hide a lot of your stuff so what we're using in ours is the ATP Reserve memory space but Android has stopped using that it's just that for legacy so you can actually just hide quite a lot of things in that without ever being overwritten by something else and then obviously the offensive developer development regarding embedded devices is should be further improved quite a lot so some of the future work all the source code advice and all the tools and everything will be on my github there is an academic paper written as well and then any updates regarding the project itself will be on

our Twitter a lot of it will be released at the end of the week which should be nice and there's my lovely silhouette as well so thank you very much

so we've just got some time for some questions if anybody has any never at like I don't have a mic with me yeah so when it comes to doing Android using the Android operating system to be able to do say like using the camera and things like that a lot of it is just used with python connecting to the android functionality so the the api's that we built to wrap around android underline and hook into the actual androids system call itself so we can actually trigger the out system call whenever we want yeah so we're actually migrated into it like at root and so we're actually doing is saying right let's just Charlotte into that operating system itself not into

the actual device nine times right yeah [Music]

it can be I think we used we use the latest version of Android all the time and you can update Android as much as you want so anything yeah any any Android as well we did try and bought it through a cheap Chinese watch but the watch actually start to melt so I wasn't a good home especially I'm wearing on your hand it got really warm really quick yeah you don't to start doing Kryptonian

[Music]

so as in yep okay so intensive recording so how can you constantly record when you've given a back the device so when it comes to the tiny core you can build and compile compile whatever tools you want into it there's quite a lot of scripts because it's using Python on the back end but you can use pretty much anything you can add further functionality that way so if you always want to trigger the recording whenever the screen lights up you can look for the system call for Android the screen write out and then it can trigger the next system call to then record the device so if you wanted something like I always want to have a microphone

listening so anytime someone clicks the power button because that's got a power ID within Android it'll and trigger the microphone and the in the long run and start recording into the operating system into your root the problem is you should need to be careful about how much memory you're using to record something because if it goes quite large yeah you're gonna start noticing some triggers anymore if anybody act as play the questions I'll be around although it's a do you want to come see me I'll be great cool okay another round of applause please to Jack