Thousands of Android devices still being shipped with debug ports exposed
Multiple mobile and IoT vendors across the globe are still shipping devices with Android Debug Bridge enabled, potentially leaving them vulnerable to hackers. ADB is an OS developer function that listens for traffic via port 5555 and allows anyone to connect over the internet to a device.
In fact, hackers have already leveraged the bug in a cryptojacking malware campaign.
The ADB feature is turned off in the default version of the Android OS. Users need to manually enable it when connecting their device via a USB connection. It also includes an “ADB over WiFi” feature that allows the developer to connect to a device via a WiFi connection, rather than a USB cable. However, misconfigured devices are being shipped with the ADB over WiFi features left enabled which customers may not be aware of.
This leaves the device open to remote connections through the ADB interface.
This issue was first discovered by security researchers from Qihoo 360 Netlab in February this year. The team detected an Android worm spreading from one device to another that infected them with a cryptocurrency miner named ADB.Miner. The worm uses a modified version of Mirai’s code and exploits the enabled ADB settings to spread peer-to-peer via port 555 across multiple devices.
"This is highly problematic as it allows anybody (without any password) to remotely access these devices as ‘root' (the administrator mode) and then silently install software and execute malicious functions," infosec expert Kevin Beaumont warned in a blog post published last week.“A recent look at Qihoo 360's Netlab data showed nearly ten thousand unique IP addresses scanning port 5555 during a given 24-hour window.”
Beaumont also found a huge amount of devices left vulnerable including tankers in the U.S, DVRs in Hong kong, mobile phones in South Korea and Android TV devices.
“These devices are misconfigured, and available all the world. They even exist in corporations. If somebody wanted to, they could run something other than cryptocurrency mining — which could develop into a serious issue,” Beaumont said. Using the IoT search engine Shodan, anyone can scan for devices with with ADB interfaces exposed online.
Scanning activity for port 5555 has not stopped or slowed down, Qihoo researchers said. According to NASK researcher Piotr Bazydlo, 40,000 unique addresses were found to be impacted by ADB.Miner on June 4 and 5 alone.
"These are not problems with Android Debug Bridge itself. ADB is not designed to be deployed in this manner," Beaumont said. "Vendors need to not ship products with Android Debug Bridge enabled over a network, especially when they are designed for internet connectivity."
"It places the customers in harm's way. Vendors who have done this should issue product updates to remediate the issue, and if automatic updates are not an option they should contact customers to ask them to update their software," he added.