lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 18 Mar 2012 18:46:00 +0100
From: Jan Schejbal <jan.mailinglisten@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Android wipe unreliable

We have discovered that the "wipe" function on Android does not reliably
delete data on all devices. On a Nexus S running Android 2.3.6, we were
able to recover user data after running a "wipe" both using the "factory
data reset" from the menu and by wiping the device from recovery.

To recover data, the device must be rooted. This can be done after the
wipe by using e.g. the zergRush root exploit. (Note that the official
way which includes unlocking the bootloader must not be used - that one
does securely wipe the memory).

After rooting the device, the memory can be dumped using
   cat /dev/block/platform/s3c-sdhci.0/by-name/userdata
Move the dump to a PC by piping the cat output into nc, then recover
using any common recovery software.

This means that if a locked device affected by this is lost/stolen, it
is possible to access the data by first wiping the device (to remove the
screen lock), then rooting and recovering.

Note that we do not know the full range of affected devices.
Manufacturers may have made customizations that fix this, and Android
3.x and 4.x (Honeycomb/ICS, about 5% of devices) seem to have fixes
according to the code.

The Android security team has been notified.

Further details can be found in our blog post:
https://www.hatforce.com/blog/android/wipe

Kind regards,
Jan, from the Hatforce team

Hatforce (https://www.hatforce.com) is the first crowd-sourced security
testing startup world-wide. The services comprise web- and mobile
application pentests. Since its launch, Hatforce got extensive positive
feedback, especially from the Forbes magazine: "This service is stroke
of genius! [...] This is a great business concept and one that could
make a huge difference in how safe your application, and brand, is."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ