MTPwn


You know better than to trust a strange computer


All blog posts to date
MTPwn

Introduction
My wife and I travel a lot.  We have visited four of the seven continents, many countries, hiked in amazing places, eaten all kinds of foreign and exciting foods, taken in many cultures different from our own, and seen some unforgettable sights.  And we've also had some bizarre moments, like being offered cooked snake and scorpion on a skewer.  We said no.

We have loads of travel stories.  And we're glad to share some.  Just ask!

So naturally, we spend a lot of time in airports.  So the first time we traveled together when I saw something like this:


or this:


I respectfully declined and instead used my one of these:

She asked why, and so I explained my reasoning, quoting C-3PO:  you know better than to trust a strange computer.


You can't see what's behind that USB port.  Is it just drawing power?  Or is it also attempting a data connection?  You don't know, so it will do you good to not trust it.

Very recently, GitHub developer Salvatore Mesoraca unveiled a proof of concept exploit called MTPwn.  This post is about MTPwn, what the exploit is, forensic implications, and also proof of why you should always only trust your own computing equipment.

MTPwn
Media Transfer Protocol, or MTP, is the protocol that allows you to easily connect your Android phone to your computer and copy bidirectionally files, including photos and videos.  When you plug your Android phone into your Windows computer, you may see something like this on your phone:


And this on your Windows computer:


So long as this connection gets set up properly, you can now transfer files back and forth.

The files you transfer back and forth are in the phone's SD card or internal SD card directory.  You can't access app data or other protected data.  You need root privileges to access such data.  MTP only gets access to "unprotected" files.

And you also know that if your phone is locked with a PIN, you need to unlock the phone first to allow the computer to access contents via MTP.  Well, not anymore, thanks to MTPwn.

MTPwn is an exploit in MTP.  You can plug a locked Samsung Android phone into a computer, keep it locked, and still access contents.  You can only get contents MTP can access, so no root access.  You still need to root the phone to gain a physical image or access protected contents.

Just to say again, this is a Samsung-specific exploit as far as I know.

Using MTPwn
MTPwn is very easy to set up.  Use a Linux computer and download the repository from GitHub.  All credit goes to the developer Salvatore Mesoraca for this awesome work.

The page has excellent instructions.  I won't rehash the build instructions there.  Go ahead and build the tool.

Now plug in your locked Samsung Android phone.  Then run MTPwn.  I prefer to redirect output to a file for easy reading.

$ ./mtpwn > mtpwnout.txt
It may take some time, as the GitHub page notes.  You will see some information about the device.  And then when done, all the available file names are printed on the screen, or redirected to a file if you prefer as I do.

So I checked out the file mtpwnout.txt, and indeed it is a whole list of available files, including a list of all my photos taken.
...
Galaxy S6/10001/DCIM/Camera/20171107_223803.jpg
Galaxy S6/10001/DCIM/Camera/20171107_223805.jpg
Galaxy S6/10001/DCIM/Camera/20171107_223807.jpg
Galaxy S6/10001/DCIM/Camera/20171107_223815.jpg
Galaxy S6/10001/DCIM/Camera/20171107_223818.jpg
Galaxy S6/10001/DCIM/Camera/20171110_121840.jpg
Galaxy S6/10001/DCIM/Camera/20171110_121857.jpg
Galaxy S6/10001/DCIM/Camera/20171111_104623.jpg
Galaxy S6/10001/DCIM/Camera/20171118_225736.jpg
Galaxy S6/10001/DCIM/Camera/20171124_203841.jpg
Galaxy S6/10001/DCIM/Camera/20171124_203902.jpg
...
And so on and so forth.

Additionally, MTPwn both places a file on the device and pulls a random one.  It pulled a random photo off my phone of a woodpecker we saw in southern Chile.  This photo was extracted from my locked Samsung Galaxy S6 phone, plugged into my computer in what I thought was only charge mode, where I did not authorize a connection.

Obviously if the exploit can pull one file, it can pull all of them.  You could customize the code and use this tool to extract all the available files to your computer without authorizing such on the phone.

Pretty cool, huh?

Forensic implications
Android device security is getting better and better.  Examiners use tools to beat security on devices in order to obtain data and conduct investigations in a legal manner.  The nightmare scenario for an examiner is a locked encrypted Android device.  The examiner cannot get in, and cannot decrypt the phone.  If the examiner tries some dead forensic imaging process like chipoff, the result would be encrypted and useless contents.  There's not much you can do.

Well, now you can do something if that phone is a Samsung.  You can customize the exploit as mentioned above to pull all the camera-taken photos and videos, screencaps, other media files, and anything else that may reside in the /sdcard directory of the device.  That may not be an exhaustive look at the device, but it is way more than nothing.  And you never know: there may be something truly important found.

Security implications
Back to my traveling as mentioned above.  Don't plug your phone into any random USB port to charge.  If that USB port is doing more than just powering, if it is plugged into a computer, it could potentially be extracting all your photos.  It is feasible.  Bring your own charger.  As always, do not trust somebody else's equipment for sake of convenience.  Good security often is inconvenient, but that is just the truth.

The newest update available on most newer phones patches this vulnerability.  Make sure your phone is updated.  Or be like me and have an intentionally out-of-date phone for hacking.

And in closing, I just have to relay a funny story.  At the beginning of this post, when I was searching for all those images, I came across an image of a USB charger.  I was about to use that image until I read the webpage it was on.  The charger actually had a built-in microphone and would save audio to a hidden SD card.  So while not exactly the topic presented here, it is close.  Use your own charging equipment.

Forensic 4Cast awards
I would be humbled and honored if you would consider nominating my blog, Free Android Forensics, for the award "Digital Forensic Blog of the Year" presented by Forensic 4Cast.

Forensic 4Cast is an excellent resource for all things digital forensics. They run an annual awards ceremony for digital forensics achievements for the year.

2017 was a banner year for Free Android Forensics. From imaging an Android car stereo to studying the Waze app to imaging newer devices and some other fun topics, there was a lot to cover last year. I continually hope to serve the forensic community well by providing interesting topics.

As always, I thank you for reading. If you found my content useful, insightful, interesting, or maybe even funny, please consider nominating Free Android Forensics for Digital Forensic Blog of the Year.

Summary
  • MTPwn can obtain a list of all files in the /sdcard directory of a locked Samsung device without permission.  The exploit can feasibly be updated to pull all said files also.
  • If you are investigating a locked Samsung Android device and have no way to obtain any files, give this exploit a chance.  You may obtain something useful.
  • Think security.  Keep your devices updated.  Don't trust other computer equipment.  Don't charge off random USB outlets.

Questions, comments?  Fun travel stories?  Leave a comment below, or send me an email.

No comments