Select Monthly Archives
- January 2020
- September 2019
- August 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- August 2018
- July 2018
- May 2018
- March 2018
- February 2018
- December 2017
- November 2017
- September 2017
- August 2017
- June 2017
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- March 2016
- October 2015
- September 2015
- July 2015
- May 2015
- March 2015
- February 2015
- January 2015
- December 2014
- September 2014
- August 2014
- July 2014
- June 2014
- December 2013
- September 2012
Filed In: Security Testing, Security
Written By: Brandon Wilson July 09, 2018
Generally, it is a mistake for a web application to have an open and publicly accessible administrative interface – particularly one that does not require credentials in order to use. This principle is just as applicable to hardware designs as it is to application designs.
While eating at a restaurant one night, I noticed a tablet device on the table. Devices like these are intended to allow patrons to order food or drink refills, pay for their bill, or even play games, sometimes for a small fee. The device in front of me seemed to be physically secure from tampering by children or even curious adults, with one notable exception: there was a SATA port at the bottom of the tablet.
Figure 1 - The SATA connector on the bottom of the device
Knowing that SATA is an interface for storage devices such as hard drives and optical drives, this seems like a very unusual port to have on the device. Could it be for connecting to a PC, and presenting some sort of storage interface? I could not experiment with the device while in the restaurant without puzzling looks by the servers or management, leaving my options for further research severely limited.
Exploring My Options
While searching eBay for the same or similar models by the same manufacturer, I encountered a listing for a single device from a freight recovery auction, likely from a closed restaurant at another location. This listing did not include the battery or a charging adapter and made no guarantees as to whether the device actually worked or not, but I decided to purchase it anyway and see what information I could glean from it.
Once I received the device, I read the stickers on the back to determine that the device uses a 3.7V battery. The only battery I had with a matching voltage was from an old cell phone from many years ago, when it was common for batteries to be removable. I fully charged this phone over USB and removed its battery.
Figure 2 - The six pin battery connection on the back of the device
I then attached alligator clips to the positive and negative terminals of the battery, and then attached the other end of the clips to various combinations of the six pins where the original battery would connect to the device. My original guess that the positive pin would be on one end (the far left side) while the negative pin would be on the other end (the far right side) proved to be correct. By guessing that the only button on the device would be for power and holding it, I was able to turn the device on.
Watching the device boot, I could see that it appeared to be an old version of Android launching an application tailored to the restaurant in question. It took much longer to boot than the one observed in operation at the restaurant, likely because it was unable to connect to the restaurant’s Wi-Fi access point.
Once I had a functioning tablet, I took apart the device to finally get a look at the mysterious SATA connection. Fortunately for me, the pads on the PCB, which are connected to each pin on the SATA connector, are clearly labeled:
Figure 3 - The PCB at the SATA connector, with each connected pin in order and clearly labeled
Table 1 - Standard SATA connector pinout
Comparing this to the standard pinout for the SATA connector, nothing appears to line up. Pins that should normally be grounded now appear to have a purpose and carry a signal. For example, pin 1, which should normally be for a ground connection, is connected to the PCB pad labeled “Vbus.” This is clearly incompatible with the SATA specification. It appears that the tablet manufacturer has repurposed the SATA connector to perform an entirely different function -- and in this case, to perform multiple functions.
Utilizing the Connection(s)
The SATA connector on the PCB appears to expose both a serial connection and a USB connection. A serial connection must have, at a minimum, send and receive pins (UART_2_RX and UART_2_TX), while USB must have two data pins (D+ and D-) and a +5V power line. Ground pin(s) can be shared between both connections. That leaves one mysterious connection -- a pin labeled DOWNLOAD_MODE on the PCB.
By googling for the meaning of DOWNLOAD_MODE as it pertains to Android, I determined that the pin should be grounded while booting the device to enter the Android bootloader. This can be easily accomplished by inserting a small piece of metal, such as a paperclip or pocketknife, into the SATA connector on the right side, bridging the DOWNLOAD_MODE pin and the metal shielding of the SATA connector.
Once the Android bootloader is running, the bootloader can be re-flashed, and the device can be fully compromised. During testing, I discovered that shorting the DOWNLOAD_MODE pin after the tablet has already booted allows the Android app drawer to be displayed, allowing a user to launch Android applications other than the intended restaurant dashboard, and break out of its sandbox.
By splicing into a USB cable and soldering its D+, D-, +5V, and Ground wires to the associated PCB pads, I can create a USB connection between the tablet and a PC. By initiating an Android ADB connection, I can then extract the entire contents of the device for further study. Log files and even text files containing WiFi credentials are stored in plain text on the device, enabling an attacker to easily connect to the restaurant’s WiFi network and potentially wreak havoc. Several APKs were also found, and reverse engineering these reveal the web service API used to interact with the restaurant’s ordering system and the hard-coded credentials for authenticating to it.
Lessons to Be Learned
Fully compromising this tablet was possible for a variety of reasons which, when combined, make the entire process even easier:
- Debug or administrative ports should not be publicly accessible to users of a device. If such a debug interface is important, it should be protected with credentials or require a unique device key that only authorized individuals would possess.
- The tablet manufacturer designed a pinout for the SATA connector such that splicing into an existing SATA cable would not work, because several pins in the SATA specification are assumed to be grounded and therefore bridged together. However, an attacker can easily order SATA connectors by themselves online for mere pennies and create a cable that allows compromising a restaurant tablet from an inconspicuous device such as a cell phone.
- The PCB had clearly labeled pads describing the purpose of each pin from the SATA connector. Without this, a person would only discover the pins’ true purpose by tracing them one by one, which will discourage most people.
- Repurposing a connector that does not make sense in the context it is being used, such as a storage connector or display port for general communication, will encourage a curious observer to look into the device more.
- The designer of the tablet may have presumed that someone plugging a homemade cable into the device while in a crowded restaurant would attract too much attention and is therefore unlikely to happen. However, a person can break out of the device’s sandbox simply by grounding the DOWNLOAD_MODE pin, which is connected to the rightmost pin in the SATA connector. By inserting a paperclip into the connector, other Android applications can be launched. In my test environment, I could bypass the game paywall with this method.
Security through obscurity, or relying on custom or unusual pinouts and interfaces, will never be a successful strategy. In fact, it can encourage a curious customer to start digging where they do not belong. Hackers need to eat just like everyone else, and they can see an avenue for attack that may not be so obvious to the average consumer, which a hardware designer for a publicly accessible device must keep in mind if security is a concern.