Monday, August 2, 2010

WaveSecure - Major Security Leak Uncovered

Situation: Dramatic things have happened - WaveSecure, the well known phone anti theft app is as unsecure as it is potentially possible... hundreds of thousands of users have exposed their personal data and much more to hackers all over the world without knowing it. The hacker just needs to know or GUESS the victims IMEI and he is set.

EDIT: The vulnerable interface which has now been open to hackers for months has been disabled in response to my publication by the WaveSecure guys. Links to this blog that were posted on Wave"Un"Secure's website were removed instantly. Also there is no comment by tenCube about this case and it seems the users have not been informed about the threats of Wave"Un"Secure's unsecure communication model.

This is a description of the original vulnerability:

Weeks ago i discovered the hard-reset-proof feature for rooted Android phones that WaveSecure provides. Wow, i thought, that's really cool - but then... i know that once an rooted Android device is reset to it's factory settings, system applications will survive that reset - this is used by WaveSecure to survive the reset and this works fine.

However all application data gets lost - but SOMEHOW it seemed that WaveSecure also survived that - the settings keeped to exist. After researching a bit i found out that WaveSecure pulls the settings from their server. So far so good. Then the next question came up: how the hell does WaveSecure authenticate then to the servers if there is no secret data left on the phone once the device is reset???! Everything would have to work using publicly known data... which brings the logical result that there MUST be a security leak...

OK OK i admit - thats not enough. So i decompiled the program using Baksmali and spent 2 days looking through the sources.

Actually it was quite easy...
- find out how the command format looks like from client to server
- find out how the encryption works
- write a small program that reused the encryption
- decrypt the reply
- look if there's something usable

Now it got even easier
- the encrypion keys are stored on the device, ready to go
- the encryption used is standard AES there's lots of public libraries around, even the Java Runtime Environment delivers one
- and when i finally got the reply from the server i found out that i even did not have to DECODE anything - everything was PLAIN TEXT including the PIN code of the user...

It's incredible. A program that won the Android developer challenge really is THAT UNSECURE?

Now imagine what: just by providing the IMEI of the target phone, any user can get the PIN code + the phone number of that user... just login to http://www.wavesecure.com/ and login and get going:
- get all the backed up user data (SMS, Contacts, Pictures, ...)
- locate the phone using GPS
- wipe the phone
- lock the phone

All without authorization!!!
Its just 150 lines of code.

Just look at the attached screenshots and you'll see how it worked.
At this point in time i will not provide any source code (just pseudo code) because i do not want to harm anybody. I also only used the program to test it using my own account. So no data leaked yet... until someone else finds out how to do this too... its really not much work.

This is the pseudo code:

class WS {
      byte[] doEncrypt(text)
      {
           cipherKey = hexStringToByteArray("..."); // get this key from the .apk /res/raw/build_config.txt
           generate key using Rijndael;
           get a cipher instance for "Rijndael/CBC/NoPadding";
           encrypt the stuff;
           return encrypted stuff;
       }


       main(arg)
       {
           command = "...some special command string..." + arg[0]; // append IMEI
           encrypt command;
           url = "https://www.wavesecure.com/service.ashx?text=/!!/AAAA" + encrypted command;
           just open standard get on URL;
           read response, its PLAIN TEXT;
           search for the PIN within;
           thats IT!
       }
}
Hope this article was interesting - email me for comments at ws555888@hotmail.com.

18 comments:

  1. ??? does this work?

    ReplyDelete
  2. the link was posted on a blog on wavesecure.com, now all the comments to that blog are gone!

    ReplyDelete
  3. just tried it, doesn't work.

    ReplyDelete
  4. the interface has been disabled at the server side - of course! :-) would really be critical if the left it open. however i think it would not take very long to find another way... also i think that now hard-reset restore of WaveSecure will not work anymore (because the interface is not there anymore)

    ReplyDelete
  5. Pretty cool for them to get this fixed so fast!

    I'll miss the hard-reset restore feature. I hope they manage to do it in some other way without any security concerns.

    ReplyDelete
  6. yup, just tried it as well. doesnt seem to work now, definitely disabled from server side. But good one mark, i did wonder how WS magically, after hard reset, returned to lock the phone and know its link to my account.

    your explanation makes sense and it was a good one to catch the potential leak. But i think the probability is quite low anyway since u need the IMEI to get the username password. if i can get the IMEI of the phone, i might as well just look at the data on the phone physically.

    but you have to give it to these guys for coming up with such a thing in the first place, hope they can fix the security issues and bring back the hard-reset proof ability

    ReplyDelete
  7. They had to, a lot of people already heard of it - and it was simply by disabling the feature and not by fixing the underlying problems. I think it can again be hacked quite easily (however i do not want to do this).

    I now know the security architecture of the software and it is really weak given that user data is stored online on their servers. This leak was open for months!!

    I would use a differen tool instead that does not use online server storage. There is ALWAYS a leak (as you see in this case where i queried WaveSecure BEFORE my attempts and they said everything is secure... which was not true)!

    ReplyDelete
  8. PS: as you mentioned that you need to KNOW the IMEI. what about guessing? i am sure i would have been able to get a good amount of secure user data in a short time.

    ReplyDelete
  9. Good investigative job Mark! But I disagree with you. Probability of intrusion is pretty low considering you need physical access to the device to get the IMEI and that needs to be loaded with wave secure. Compared that to iOS' PDF exploit affecting all iPhone, this is a small case. I sure wouldn't want to be in Apple's shoes. Haa.

    Just some advice from a fellow Android dev. Do you know that you are not allowed to reverse engineer or decompile software on Android Market as it violates the term of service. Check out the terms at http://www.google.com/mobile/android/market-tos.html.

    'You agree that you will not, and will not allow any third party to, (i) copy, sell, license, distribute, transfer, modify, adapt, translate, prepare derivative works from, decompile, reverse engineer, disassemble or otherwise attempt to derive source code from the Products, unless otherwise permitted'

    ReplyDelete
  10. hi i did not use the APK from market but one from the internet - so i agreed to nothing :-)

    regarding IMEI: guessing is enough... also, it is really a shame that such a security hole has been open for such a long time. i could get my girlfriends IMEI and then locate her all the time without her knowing it. Or i borrow the phone of my boss and get the IMEI...

    Critical in my opinion.

    ReplyDelete
  11. But i agree the PDF bug is enough for a big laugh :-)

    ReplyDelete
  12. @Anonymous August 5, 2010 6:30 PM:
    Alot of applications at Market are already collecting IMEI as part of the authentication of buying customers. Your IMEI is NOT secret.
    The Google license agreement is superseded by local laws, and in most countries you are allowed to reverse engineer applications to look for security faults. That's what the antivirus companies do everyday.

    ReplyDelete
  13. Found out another serious security glitch!
    There is a dummy way to stop/reset Wavesecure on the device after it was stolen!
    Simply go to Settings > Applications > Manage Apps > Wavesecure > Force stop + Clear Data
    Next it is simply a matter of reconfiguring the service with a new, cheap prepaid card to make sure nobody take control anymore.

    ReplyDelete
  14. You can also bypass Wavescure's lock and uninstall protection app by booting any Android phone into safe mode.

    ReplyDelete
  15. Nice Catch Mark. I seen your post and even I am surprised how it did won many acclaimed awards? I believe awards were meant on Sale and revenue generated rather than how secured it is! Management thinks of only promoting rather than securing!

    Good stuff!

    ReplyDelete
  16. Nice post mark.... any recent same kind of bugs you've found in wavesecure or any other mcafee product.

    ReplyDelete
  17. Hi, I have forgotten the PIN code of Wavesecure. I installed the software, opened and forgot what did I do with it..
    Now after a week, I wanted to uninstall coz I read its reviews in the internet, and came to know how it works. But i cant uninstall. It keeps asking me Pin Code. Its trail period has expired. it was asking me an email. I provided, but then again, it asked me for pincode. I even don't remember whom I included in my buddy list.
    Now need help.
    How to Uninstall?
    I have 5800 Xpressmusic

    ReplyDelete