The security community raised the alarm regarding a serious issue last week —that of Android devices shipping with their debug port open to remote connections.
Despite warnings about the threat of leaving insecure remote services enabled on Android devices, manufacturers continue to ship devices with open ADB debug port setups that leave Android-based devices exposed to hackers.
Android Debug Bridge (ADB) is a command-line feature that generally uses for diagnostic and debugging purposes by helping app developers communicate with Android devices remotely to execute commands and, if necessary, completely control a device.
Usually, developers connect to ADB service installed on Android devices using a USB cable, but it is also possible to use ADB wirelessly by enabling a daemon server at TCP port 5555 on the device.
If left enabled, unauthorized remote attackers can scan the Internet to find a list of insecure Android devices running ADB debug interface over port 5555, remotely access them with highest “root” privileges, and then silently install malware without any authentication.
Therefore, vendors are recommended to make sure that the ADB interface for their Android devices is disabled before shipping. However, many vendors are failing to do so.
In a Medium blog post published Monday, security researcher Kevin Beaumont said there are still countless Android-based devices, including smartphones, DVRs, Android smart TVs, and even tankers, that are still exposed online.
“This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’* — the administrator mode — and then silently install software and execute malicious functions,” Beaumont said.
The threat is not theoretical, as researchers from Chinese security firm Qihoo 360’s NetLab discovered a worm, dubbed ADB.Miner, earlier this year, that was exploiting the ADB interface to infect insecure Android devices with a Monero (XMR) mining malware.
Smartphones, smart TVs, and TV set-top boxes were believed to be targeted by the ADB.Miner worm, which managed to infect more than 5,000 devices in just 24 hours.
Now, Beaumont once again raised the community concerns over this issue. Another researcher also confirmed that the ADB.Miner worm spotted by Netlab in February is still alive with millions of scans detected in the past month itself.
“@GossiTheDog inspired me to take a look back at the ADB.Miner worm, which I’ve been fingerprinting in February. It seems that it lives and it feels pretty well. I’ve checked out two days (4th, 5th of June) – about 40 000 unique IP addresses. I’ll provide some deep analysis soon,” Piotr Bazydło, IT Security researcher at NASK, tweeted.
Update: Shodan have now added support for Android Debug Bridge, and crawlers are now running. Will take a while to update. 👍 pic.twitter.com/rlU0I3XzNm
— Kevin Beaumont (@GossiTheDog) June 9, 2018
Although it is difficult to know the exact number of devices due to Network Address Translation and dynamic IP reservations, Beaumont says “it is safe to say ‘a lot.'”
In response to Beaumont’s blog post, the Internet of Things (IoT) search engine Shodan also added the capability to look for port 5555. Based on the scanning IP addresses, the majority of exposed devices are found in Asia, including China and South Korea.
Kevin advises vendors to stop shipping products with Android Debug Bridge enabled over a network, as it creates a Root Bridge—a situation anybody can misuse the devices.
Since ADB debug connection is neither encrypted nor requires any password or key exchange, Android device owners are advised to disable it immediately.