Cerberus anti-theft Android device takeover vulnerability

Owning Android devices running Cerberus anti-theft software.

You may or may not have heard of Cerberus, an anti-theft application for Android devices. Cerberus allows you to remotely control your device if it has been lost or stolen. Features include: locate and track your device, start alarms, get a list of recent calls, download SMS messages, take pictures, record video, record audio and much more – all of which is done discreetly without the “thief” knowing so you can track your phone down and attempt to recover it. Pretty cool, right? Now imagine if anyone could access your device and listen to your conversations. A security hole in Cerberus allows just that.

You may think Cerberus is pretty secure. You have a username and password, which only you know, similar to Facebook and practically every other website out there with a login system. 99% of the time this is fine and accepted standard for authenticating yourself. The problem here lies with what’s going on behind the scenes. When you login with your username and password the Cerberus API replies back with a “device ID” which is a seemingly 15 digit randomly generated number, this ID is then used in subsequent requests and used to “authenticate” you – that’s right, your username/password aren’t used past the initial stage. Upon further investigation it turns out that this ID is your devices IMEI number.

Anatomy of an IMEI number

Before we delve in further let’s take a quick look at the format of an IMEI number. IMEI numbers are not distributed uniformly at random. The first 8 digits of an IMEI represent the Type Allocation Code (TAC), which is determined by the model of the phone. For example, because I have a Samsung Galaxy Note 2, the first 8 digits of my IMEI are 35362705. Although this is the most significant portion of my IMEI number, it is not private information; knowing the model of my phone (or guessing the model) is sufficient to guess most of my IMEI number.

After the 8-digit TAC there are 6 digits that uniquely identify the specific device. These 6 digits are the only digits that are difficult for an attacker to guess. After those 6 digits the last digit is a Luhn-checksum digit, which is computed as a function of the first 14 digits. Thus, in a 15-digit IMEI number there is a relatively low amount of randomness.

Further Reading:

  1. http://blog.dasient.com/2011/07/hashing-imei-numbers-does-not-protect.html
  2. http://en.wikipedia.org/wiki/International MobileStation EquipmentIdentity

The attack

You can easily generate 106 (1,000,000) numbers within seconds, it’s verifying them that takes time. To verify an IMEI is valid and Cerberus has that device registered on their system you have to fire off an HTTP request. On my machine I can do 14 verifications a second in a single thread. One could verify ALL IMEI numbers for a Samsung Galaxy Note 2 within 15 hours. I managed to randomly generate a bunch of IMEIs (with the Note 2 TAC) and verify my own IMEI within 2 hours - obviously a lot of luck was involved in this but you get the idea.

When “verifying” an IMEI number the Cerberus API kindly returns back the username and SHA1 hashed password associated with that device – thanks guys! So what are we going to do? Maybe run the password hash through a rainbow table? You could do, but that would take a while and Cerberus have made it much easier for us. When you reset your password via the Android app it sends a request with only your device ID (IMEI) and new password, there’s no username or old password to verify who you are. When you’ve updated the password for the account associated with that device you can login via the Cerberus dashboard and control the phone as if it were your own. I have successfully tried this out on two of my android phones with trail accounts.

Can I prevent this?

No. Not until Cerberus fix their systems. If you’re looking for some kind of comfort it will be quite difficult for an attacker to personally target your device unless they know your IMEI number. They will stand more of a chance if they know your device model and thus only have to guess the 6 random digits, which could easily be done in a few hours. They would then have to some how tie your username to your real name to identify you. Again this could easily be done by looking at your accounts e-mail address or cross referencing information such as your phones location, recent SMS messages, etc. If I wanted to snoop on someone I knew and I know that they use Cerberus it would only take ~20 seconds alone with their phone to note down the IMEI number and access their account and from there I can view SMSes, track their location history and record videos.

I have e-mailed Cerberus bringing this to their attention but they are yet to respond. I hope this post changes that and they fix it ASAP. I will update this post accordingly.

Update: Cerberus have said this will be fixed in their next version, 2.4 which will be published “soon”. I have downloaded the latest 2.4 beta and the exploit still exists.

Update 2: This has been fixed server-side, props to Luca for fixing it quickly. See https://groups.google.com/forum/#!topic/cerberus-support-forum/H7fuB4TCk8Q for more info.