Hacker News new | past | comments | ask | show | jobs | submit login
"Potentially rogue binary" in Sprint Evo (unrevoked.com)
59 points by jchonphoenix on July 10, 2010 | hide | past | web | favorite | 22 comments

I'm part of the team that found this backdoor. A few points:

1. "Never Trust Sprint Again" is editorializing on the part of the submitter, not our stance. It's a very, very crappy thing to put on a phone, but there's no evidence it was placed there maliciously.

2. It was released in the wild on the HTC Hero for some time. We believe it would have been in the wild on the EVO if we hadn't reported it.

3. Sprint was very responsive when we reported this to them. They turned around a patch within a few days that sealed this particular hole.

4. We have no idea where this came from or who was ultimately responsible. That information never made it back to us.

This looks like an automated debugging/testing tool that should not have made it to a production build to me. Is there anything that points in or away from that possibility? Pentaps seems extraneous for a backdoor...

Clarification request: I don't have one of these phones, but have friends who do. Are the OTA updates installed automatically, or do they need to take some action (e.g. run a software update app or the like)?

If you're running stock (or close to stock firmware), you'll get a popup notification saying there's an update available. If you haven't received one for a few days, you're more than likely up-to-date.

Thanks! I'll let my friends know.

Look, if your backdoor binary sits in /usr/bin or similar in a file system, you really have no business writing backdoors.

Sprint could have the same functionality built into the kernel and no one would have noticed it. It's actually a good thing it's not running by default. I would snoop around further and see how it's launched; the command list only has the shutdown commands, not the launcher. Without the trigger you really don't have the whole answer.

Also if you name it "SkyAgent" (or anything vaguely Terminator-y), you wear the hat of shame. To parties.

That's what makes me believe the "leftover debugger" explanation... If they were doing it maliciously, they probably would have hidden it a little better. One would think. Either that or they're malicious and incompetent.

"We do not believe that skyagent could ever be invoked remotely."

Whats the risk here? Possibly a debugging helper app left inadvertently?

Or an OTA update adding it to the init process (though apparently skyagent has not been removed)

It was removed in the OTA update on the EVO and Hero (not just chmodded, but unlinked).

Erm yes, I apparently mistyped, I meant to write that it had been removed (saying that it hasn't been removed makes low if any sense)

  4 Jun 2010: Sprint OTA update removing skyagent binary.
I didn't trust any of the carriers to begin with. At least Sprint removed it.

skyagent == air marshal?

What's unstated here but recognized by unrevoked is that Sprint had skyagent purposefully on their phones so that they could easily gain root access and keep their phones under their command.

If is recognized by unrevoked that that is true, then why does it state, "At this time, we believe that skyagent was a debugging binary left over from manufacture. We have been consistently impressed with the actions taken by Google, Sprint, and HTC to expeditiously resolve this issue."

But a few paragraphs later they write:

However, the security vulnerabilities present in skyagent are of less cause for concern than the purpose of the program. It appears that the binary was designed as a backdoor into the phone, allowing remote control of the device without the user's knowledge or permission. When the program is invoked, it listens for connections over TCP (by default, port 12345, on all interfaces, including the 3G network!) that accepts a fixed set of commands. These commands appear to be authenticated only by a fixed “magic number”; the commands are neither encrypted on the way to the device or on the way back. The commands that we have knowledge of at this time include:

sending and monitor user tap and drag input (“PentapHook”), sending key events (“InputCapture”), dumping the framebuffer (“captureScreen”), listing processes (“GetProc”), rebooting the device immediately, and executing arbitrary shell commands as root (“LaunchChild”)

Isn't your comment fully supporting the previous poster?

It sounds a lot more like a debugging tool than a malevolent program: a backdoor sitting in an obvious folder, with an easy default port and no encryption, that allows to see system status, events, or run commands. Also, "We do not believe that skyagent could ever be invoked remotely".

Curious name for a "debugging tool", but maybe that's just me.

Typical debugging routines. It's fairly obvious some developer wrote this to troubleshoot devices and they forgot to remove it from the final golden master build.

This happens a lot, and there is nothing malicious about it. Now, if they had spawned this process from init and left it running on all phones leaving the factory, that would be another story.

OK yeah that's a bit creepy. I missed that part. Why do they seemingly absolve them of any suspicion earlier in the report? I still feel like we should trust the judgement of the reporters. They're taking a measured response to this.

You mean skyagent makes it easybto take screenshots on an android device? Sign me up!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact