Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

LockPickFuzzer: Exploring Vulnerabilities in Android Lock Screen Mechanisms through ADB-Based Fuzzing

LockPickFuzzer: ADB 기반 퍼징 기법을 활용한 안드로이드 잠금 화면 메커니즘의 취약점 탐색

  • Daehoon Ko (Sungkyunkwan University) ;
  • Hyoungshick Kim (Sungkyunkwan University)
  • 고대훈 (성균관대학교) ;
  • 김형식 (성균관대학교)
  • Received : 2024.06.03
  • Accepted : 2024.07.09
  • Published : 2024.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Android devices employ lock screens with various authentication methods to protect user data. However, even with the lock screen active, the device can be accessed via the Android Debug Bridge(ADB), a powerful development tool that controls devices connected through USB. In this paper, we explore methods to bypass the lock screen security mechanism by leveraging the characteristics of ADB. To achieve this, we analyze ADB commands to categorize those that can severely impact the Android system and propose LockPickFuzzer, a fuzzing test tool that automatically explores ways to combine these commands to disable lock screen security. To demonstrate LockPickFuzzer's ability to detect security vulnerabilities using ADB, we conducted experiments on the Galaxy S23 and Pixel 8, both running Android 14. The results revealed two ADB command combinations that could either steal authentication information or bypass the lock screen. We submitted a report on these discovered vulnerabilities to the Samsung security team and received official acknowledgment (SVE-2023-1344) from Samsung Electronics for one ADB command combination that can be reproduced on user devices. LockPickFuzzer is a practical tool that operates automatically without user intervention and is expected to contribute to the effective detection of security vulnerabilities caused by ADB command combinations on Android devices.

안드로이드 디바이스는 다양한 인증 방식을 제공하는 잠금 화면으로 사용자 데이터를 보호한다. 그러나 잠금 화면이 활성화된 상태에서도 Android Debug Bridge(ADB)를 통해 디바이스에 접근할 수 있다. 본 연구에서는 ADB의 특성을 활용하여 잠금 화면 보안 메커니즘을 우회할 수 있는 방법을 탐색하고자 한다. 이를 위해 ADB 명령어를 분석하고, 잠금 화면 보안을 무력화할 수 있는 명령어 조합을 자동으로 탐색하는 퍼징 테스트 도구인 LockPickFuzzer를 제안한다. LockPickFuzzer의 성능을 평가하기 위해 안드로이드 14를 탑재한 갤럭시 S23과 픽셀 8을 대상으로 실험을 진행하였다. 실험 결과, 잠금 화면의 인증 정보를 탈취하거나 우회할 수 있는 두 가지 ADB 명령 조합을 발견하였다. 이 발견된 취약점에 대해 삼성 보안팀에 리포트를 제출하였고, 한 가지 ADB 명령어 조합에 대해 삼성전자에서 공식적으로 인정받았다 (SVE-2023-1344). LockPickFuzzer는 자동으로 작동하며, 안드로이드 디바이스에서 ADB 명령어 조합으로 인한 보안 취약점을 효과적으로 탐지하는 데 기여할 것으로 기대된다.

Keywords

Acknowledgement

이 논문은 2024년도 정부(과학기술정보통신부)의 재원으로 정보통신기술평가원의 지원을 받아 수행된 연구임 (RS-2018-II180532, 고등급(EAL6 이상) 보안 마이크로커널 개발).

References

  1. Chia-Chi Lin, Ting-Fang Yen, Hsin-Kuo Lin, and Yu-Chih Chen, "Screenmilker: How to milk your android screen for secrets," NDSS, Feb. 2014.
  2. Sungjae Hwang, Youngsik Kim, and DaeHun Nyang, "Bittersweet adb: Attacks and defenses," Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 97-108, Apr. 2015.
  3. Manar Mohamed, Babins Shrestha, and Nitesh Saxena, "Smashed: Sniffing and manipulating android sensor data for offensive purposes," IEEE Transactions on Information Forensics and Security, vol. 12, no. 4, pp. 901-913, Apr. 2016.
  4. Li Yang, Lijun Wang, and Dongdong Zhang, "Malicious behavior analysis of Android GUI based on ADB," IEEE International Conference on Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC), pp. 596-599, Jul. 2017.
  5. Chuck Easttom and Willie Sanders, "On the efficacy of using android debugging bridge for android device forensics," IEEE 10th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), pp. 395-399, Oct. 2019.
  6. Pingfan Kong, Yu Hao, and Xuanzhe Liu, "Automated testing of android apps: A systematic literature review," IEEE Transactions on Reliability, vol. 68, no. 1, pp. 45-66, Mar. 2018.
  7. Developer Android, "Android Debug Bridge" https://developer.android.com/tools/adb, Apr. 2024.
  8. The Guardian, "Android lockscreen ca n be bypassed by overloading with ma ssive password" https://www.theguardian.com/technology/2015/sep/16/android-lockscreen-password, Apr. 2024.
  9. Geumhwan Cho, Hyunsoo Kim, Seungjoo Kim, and Kwangjo Kim, "On the security and usability implications of providing multiple authentication choices on smartphones: The more, the better?," ACM Transactions on Privacy and Security (TOPS), vol. 23, no. 4, pp. 1-32, Oct. 2020.
  10. Sebastian Potocky and Jozef Stulrajter, "The human interface device (HID) attack on android lock screen non-biometric protections and its computational complexity," Science & Military Journal, vol. 17, no. 1, pp. 29-36, Jan. 2022.
  11. TechCrunch, "A simple Android lock s creen bypass bug" https://techcrunch.com/2022/11/14/android-lock-screen-bypass-google-pixel, Apr. 2024.
  12. CybersecurityNews, "Bypassed Androi d Lock Screen using Driving mode As sistant" https://cybersecuritynews.com/researchers-bypassed-android-lock-screen, Apr. 2024.
  13. Fatih Ertam, Omer Faruk Yakut, and Turker Tuncer, "Pattern lock screen detection method based on lightweight deep feature extraction," Neural Computing and Applications, vol. 35, no. 2, pp. 1549-1567, Sep. 2023.
  14. GitHub, "jadx - Dex to Java decompiler" https://github.com/skylot/jadx, Jan. 2024.
  15. Android Developers, "Zipalign" https://developer.android.com/tools/zipalign, Jan. 2024.
  16. Android Developers, "APKSigner" https://developer.android.com/tools/apksigner, Jan. 2024.
  17. Nerdschalk, "How to Bypass Pattern Lock, Fingerprint, Password Lockscre en Security on Android via ADB" https://nerdschalk.com/bypass-pattern-lock-fingerprint-password-lockscreen-security-android-via-adb, Apr. 2024.
  18. Panagiotis Andriotis, Theo Tryfonas, and Zhaoqian Yu, "Poster: breaking the android pattern lock screen with neural networks and smudge attacks," Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec'14), pp. 261-262, Jul. 2014.
  19. V. Venkateswara Rao and A. S. N. Chakravarthy, "Analysis and bypassing of pattern lock in android smartphone," IEEE International Conference on Computational Intelligence and Computing Research (ICCIC), pp. 1-3, Dec. 2016.
  20. Hui Lu, Zhiqiang Lin, Zhiyun Qian, and Haixin Duan, "Salaxy: Enabling usb debugging mode automatically to control android devices," IEEE Access, vol. 7, pp. 178321-178330, Dec. 2019.
  21. Dave Jing Tian, Kevin Butler, and Patrick Traynor, "ATtention spanned: Comprehensive vulnerability analysis of AT commands within the Android ecosystem," 27th USENIX Security Symposium, pp. 23-39, Aug. 2018.
  22. Mingzhe Xu, Weiqing Sun, and Mansoor Alam, "Security enhancement of secure USB debugging in Android system," 12th Annual IEEE Consumer Communications and Networking Conference (CCNC), pp. 146-152, Jan. 2015.
  23. GitHub, "Android-PIN-Bruteforce" https://github.com/urbanadventurer/Android-PIN-Bruteforcer, Apr. 2024.