

"Potentially rogue binary" in Sprint Evo - jchonphoenix
http://www.unrevoked.com/rootwiki/doku.php/public/unrevoked1_disclosure

======
mmastrac
I'm part of the team that found this backdoor. A few points:

1\. "Never Trust Sprint Again" is editorializing on the part of the submitter,
not our stance. It's a very, very crappy thing to put on a phone, but there's
no evidence it was placed there maliciously.

2\. It was released in the wild on the HTC Hero for some time. We believe it
would have been in the wild on the EVO if we hadn't reported it.

3\. Sprint was very responsive when we reported this to them. They turned
around a patch within a few days that sealed this particular hole.

4\. We have no idea where this came from or who was ultimately responsible.
That information never made it back to us.

~~~
Turing_Machine
Clarification request: I don't have one of these phones, but have friends who
do. Are the OTA updates installed automatically, or do they need to take some
action (e.g. run a software update app or the like)?

~~~
mmastrac
If you're running stock (or close to stock firmware), you'll get a popup
notification saying there's an update available. If you haven't received one
for a few days, you're more than likely up-to-date.

~~~
Turing_Machine
Thanks! I'll let my friends know.

------
mahmud
Look, if your backdoor binary sits in /usr/bin or similar in a file system,
you really have no business writing backdoors.

Sprint could have the same functionality built into the kernel and no one
would have noticed it. It's actually a good thing it's not running by default.
I would snoop around further and see how it's launched; the command list only
has the shutdown commands, not the launcher. Without the trigger you really
don't have the whole answer.

~~~
noonespecial
Also if you name it "SkyAgent" (or anything vaguely Terminator-y), you wear
the hat of shame. To parties.

------
nonane
"We do not believe that skyagent could ever be invoked remotely."

Whats the risk here? Possibly a debugging helper app left inadvertently?

~~~
masklinn
Or an OTA update adding it to the init process (though apparently skyagent has
not been removed)

~~~
mmastrac
It was removed in the OTA update on the EVO and Hero (not just chmodded, but
unlinked).

~~~
masklinn
Erm yes, I apparently mistyped, I meant to write that it had been removed
(saying that it hasn't been removed makes low if any sense)

------
jbyers

      4 Jun 2010: Sprint OTA update removing skyagent binary.
    

I didn't trust any of the carriers to begin with. At least Sprint removed it.

------
st3fan
skyagent == air marshal?

------
jchonphoenix
What's unstated here but recognized by unrevoked is that Sprint had skyagent
purposefully on their phones so that they could easily gain root access and
keep their phones under their command.

~~~
po
If is recognized by unrevoked that that is true, then why does it state, "At
this time, we believe that skyagent was a debugging binary left over from
manufacture. We have been consistently impressed with the actions taken by
Google, Sprint, and HTC to expeditiously resolve this issue."

~~~
joubert
But a few paragraphs later they write:

However, the security vulnerabilities present in skyagent are of less cause
for concern than the purpose of the program. It appears that the binary was
designed as a backdoor into the phone, allowing remote control of the device
without the user's knowledge or permission. When the program is invoked, it
listens for connections over TCP (by default, port 12345, on all interfaces,
including the 3G network!) that accepts a fixed set of commands. These
commands appear to be authenticated only by a fixed “magic number”; the
commands are neither encrypted on the way to the device or on the way back.
The commands that we have knowledge of at this time include:

sending and monitor user tap and drag input (“PentapHook”), sending key events
(“InputCapture”), dumping the framebuffer (“captureScreen”), listing processes
(“GetProc”), rebooting the device immediately, and executing arbitrary shell
commands as root (“LaunchChild”)

~~~
ramchip
Isn't your comment fully supporting the previous poster?

It sounds a lot more like a debugging tool than a malevolent program: a
backdoor sitting in an obvious folder, with an easy default port and no
encryption, that allows to see system status, events, or run commands. Also,
"We do not believe that skyagent could ever be invoked remotely".

~~~
joubert
Curious name for a "debugging tool", but maybe that's just me.

