[Cryptography] Android's Secure ADB as a security hole

ianG iang at iang.org
Mon Jan 26 07:47:28 EST 2015

On 24/01/2015 17:53 pm, Ben Laurie wrote:
> On 23 January 2015 at 05:26, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>> In Android 4.2, Google introduced something called "Secure ADB".  It works
>> like this:
>> Device -> Host: 20-byte random value ADB_AUTH_TOKEN.
>> Host -> Device: signed( 20-byte random value ) using RSA with SHA-1
>>                  ADB_AUTH_SIGNATURE.
>> So if you send in a SHA-1 hash of something (which happens to be 20 bytes),
>> the host is required to sign it for you and send you back the signature.  What
>> you're getting is a hash of a hash, but that just means you need to find a
>> signature that uses this doubled hash, like S/MIME signed attributes.  From
>> tracing through the source code:
>> http://code.metager.de/source/xref/android/4.2/system/core/adb/adb_auth_host.c#346
>> it doesn't look like the 20-byte limit is enforced anywhere, so by the looks
>> of it you can send in something slightly longer (e.g. the S/MIME attributes)
>> and you'll get back a signature on them from the host.  Rewrite the signature
>> into S/MIME form and you're done.
>> Can someone who's more familiar with Android internals verify whether this
>> signing-oracle-by-design really is there?
> I believe the key used is unique to adb, Surely this is not a problem?

Only if that requirement is maintained.  The thing about any successful 
system is that it gets extended to be used in other places.

It's a little bit of a dilemma.  Do you go now with the cheap & chearful 
or do you plan for success, and double your costs upfront?


More information about the cryptography mailing list