Bringing your own device (BYOD) is a common practice within many organizations and due to COVID-19, the adoption of BYOD has expanded. The belief that software or applications can protect data from bad actors or negligence does not always take into account device weaknesses. In this blog, we will look at exploiting an RCA tablet to expose sensitive information through Android’s recovery mode options, particularly user data backup.

The backup user data option within Android devices allows us to backup the current non-volatile memory state of the device; effectively dumping the flash of the device onto external storage. Depending on the device manufacturer, getting to the Android recovery screen requires a sequence of buttons that must be pressed. On our target device, the button sequence is to simultaneously press the power and volume up buttons.

Before we begin the exploitation, we’ll insert a storage device – in this case, we’re using a microSD card.

Once we’ve pressed the recovery sequence buttons, we gain access to the recovery menu. Next, we navigate to “Backup user data” and press the power button to select it. Once this operation is complete, we’ll have a collection of backup files on our microSD card, ready for analysis.

With access to the flash content, we use binwalk to reconstruct the files and folders within the device.

Additionally, we can run strings against the files and query the output for interesting information.

Sensitive information that we obtained from this device included wireless network passwords, passwords for web applications, emails, contacts, documents, and web browsing information.

We live in a constantly evolving world with unique communication requirements. Being flexible is extremely important, however, we must be aware of the capabilities of the devices we allow to access our information. Disallowing devices that support the “Backup user data” recovery option would prevent this attack. However, organizations should also require encryption of devices that are used to access organizational data – full disk encryption effectively negates this sort of attack. See our introduction-to-hardware-hacking-part-1 and introduction-to-hardware-hacking-part-2  blog posts for more information on IoT and hardware hacking.

As always, thanks for reading. Subscribe to our newsletter below to be notified when we publish future blog posts.