Can a stolen Android phone with USB debugging enabled have screen lock bypassed?

Question

My Android (8.0) phone was pickpocketed from me yesterday. It was immediately turned off by the thief and when I tried to locate it using Find My Device it shows as offline.

As a programmer and a security enthusiast, I started to worry about what data can be vulnerable on the phone. I had a screen lock on but it didn't have full-disk encryption enabled (my bad, I know).

I saw on the internet that people can bypass the screen lock using fastboot and deleting some files, but does that only work for rooted phones, or am I vulnerable too?

I probably had USB Debugging enabled as I developed an Android app in the past and tested it on my device. However I remember that you must trust the computer before using it, so maybe this doesn't make my device more vulnerable?

My phone wasn't rooted though, so I believe that for the thief to bypass the screen lock they would need to unlock my bootloader which would definitely wipe my data.

I'm only worried about the data. If the only way to bypass the screen lock would be to wipe the data, then I'm ok.

What are your thoughts on this?

Wondering how the thief even turned off your phone. Even older versions require the pin to shut down the phone. Unless he removed the battery (if that is possible with your phone), he needs the PIN. And in that case, he has full access to your data. To specify, if your phone was unlocked, then no PIN is required for shutdown. If its locked, then you need the PIN to shut it down. As you talk about the screen lock, I assume that you phone was locked and requires a PIN. — XtremeBaumer, Oct 22 '19 at 14:21
@XtremeBaumer last time I checked on my phone no pin or fingerprint was required to turn off, and even if soft shutdown would require such a protection, as far as I know, hard shutdown (keeping the button pressed for X seconds) doesn't. — bracco23, Oct 22 '19 at 14:30
@bracco23 I got an Samsung Galaxy S9 with Android 9. To shutdown the phone I need to press the power button for a few seconds and then select "Shutdown". That is the only way to power off this phone. This does require a PIN (as I have a lock screen PIN configured) if the screen is locked. If the screen is not locked and I want to shut it down this way, then no PIN is required. Holding the power button for 10 seconds and longer has no effect at all. And to be honest, I have no idea what you mean with soft shutdown. Do you mean to lock the phone? — XtremeBaumer, Oct 22 '19 at 14:39
@XtremeBaumer I refer to soft shutdown when you have to use the UI to shut down the phone, hard when simply keeping pressed hardware button shut it off, like it happens on all laptops. It seems like what you are refering to is [shutdown prevention](https://www.verizonwireless.com/support/knowledge-base-212922/), a security feature of samsung phone to prevent shutdown in case phone is stolen. I wasn't aware of it. — bracco23, Oct 22 '19 at 15:02
Ahh, I wasn't aware that its Samsung only. I thought it would be a default Android functionality. In that case its understandable how the thief could power off the phone. Thanks for clarifying! — XtremeBaumer, Oct 22 '19 at 15:05
@XtremeBaumer my previous Sony was the same as a Samsung (when I turned it on with the screen broken to attempt data recovery I had to put it in a soundproof box for days), but my current phone (Blackview) will turn off if you hold the power button long enough. Definitely manufacturer-dependent — Chris H, Oct 22 '19 at 15:38
Put it in a metal box and it may as well be shut down. (Faraday shield). The battery has to be worth at least $5 anyway, enough incentive to remove it. — mckenzm, Oct 23 '19 at 23:45
Nobody has mentioned FRP yet. It's not trivial to reset a locked phone to a usable state. — whoKnows, Oct 23 '19 at 23:51
Related on Android.SE: [Using ADB to change the screen lock](https://android.stackexchange.com/questions/51180). And regarding FRP, [How to bypass “Verify your account” (Factory Reset Protection)](https://android.stackexchange.com/questions/127739/how-to-bypass-verify-your-account-factory-reset-protection) — Andrew T., Oct 24 '19 at 12:53
Was there an SD card in your phone? If there was, and you chose FAT32 FS (without encription), reading its contents is trivial and most people have the necessary tools as well. — Nyos, Oct 24 '19 at 19:56
check [this](https://security.stackexchange.com/questions/189764/how-can-an-android-device-be-unlocked-and-how-long-would-that-take/194884#194884) — elsadek, Sep 25 '20 at 21:36

OakDEV · Accepted Answer · 2021-04-03T21:58:41.187

47

A sophisticated threat actor could potentially try to exploit the Android Debug Bridge's authorization protocol by switching your phone's storage media to another same model phone with already active ADB/ADBD authorizations (based on HWID like the network chip's MAC address) and maybe some additional tinkering.

From then on, provided he knew how to get there, even an encrypted device might be under threat of full decryption. Depending on multiple factors, like OS version, startup default mode (lockdown or not), ADBD startup policies...

The key factor here is the fact nothing is encrypted and USB Debugging is enabled.

Essentially anyone with slight IT knowledge should be able to access everything in there.

I'm fairly certain your phone will get wiped and sold.

Protips:

No root.
No debug.
Latest updates.
Full device encryption.
Disable PIN/Fingerprint/Face unlock (Either completely disabled or lockdown-only disable)
Strong password.

*This should take care of the unfortunate event where your phone is not in your possession and not communicating through any channels (e.g. SIM removed, WiFi disabled).

Optional:

Tasker Automations in case you need to remotely wipe your communicating phone.
- e.g. perform rm -f /storage/emulated/0/ when "X" message is received by text, effectively launching wipes from SMS/GSM instead of Data/WiFi
- e.g. Launch camera silently to snap the person's face/geolocation
Keep an eye on Google's Find My Phone.

Last note: There is no current known exploit for ADB that would allow a bypass that I am aware of and my post takes in consideration many "if", including possible exploits that are yet to be discovered (e.g. when checkra1n came out, it affected a lot of older versions which in turned allowed other bypasses).

edited Apr 03 '21 at 21:58

answered Oct 21 '19 at 18:43

OakDEV

612
5
10

1

I agree that, phone not being encrypted, they could physically dump the memoria with the right tools. Other than that, I don't see show they could be domingo it con andy recentish pone (a bootloader exploit?). Would love to know the techniques used by the kids around you. – Ángel Oct 21 '19 at 19:37
16

@Ángel "I don't see show they could be domingo it con andy recentish pone" ... voice recognition / swype gone awry? – Michael Oct 21 '19 at 22:40
Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/100200/discussion-on-answer-by-oaksecurity-can-a-stolen-android-phone-with-usb-debuggin). – schroeder Oct 23 '19 at 15:12
2

A very important clarification from the moved discussion is that this answer is for Android versions from 4.2.2 to 4.4.2, where adb could be used on a physical device by utilising [an exploit](https://labs.f-secure.com/advisories/android-4-4-2-secure-usb-debugging-bypass/) to bypass lock screen authentication. This was fixed in 4.4.3 and there is no known adb exploit to bypass the lock screen authentication for later versions of Android. Another important clarification is that adb permissions are based on public key encryption, not MAC address or other physical attributes. – bain Oct 24 '19 at 16:21
@bain No. Most of your comment is innacurate. Please remove the comment (and mine also explaining it). 1. When I saw the HWID bypass, it was on a Nexus S or Nexus 1 device. 2. There was a ADB over WiFi vulnerability (2017) that also accomplished a device unlock and could be exploited in conjunction with another exploit which enabled (switched) ABD over USB to ADB over WiFi in an ADB shell. – OakDEV Oct 24 '19 at 16:34
@bain Also please provide evidence that HWID has never been used, either fully or partially, for ADB(D) authorization. – OakDEV Oct 24 '19 at 16:35
An ongoing discussion about this answer is being held in https://chat.stackexchange.com/rooms/100252/discussion-about-https-security-stackexchange-com-questions-219921 - please continue discussion about the content of this answer there, please. (And keep the argument civil and out of the main DMZ room, thanks!) – Thomas Ward Oct 24 '19 at 18:04
Please notice the conditional attributes with which I formulated my answer and be wary of absolutes. – OakDEV Oct 24 '19 at 18:10
Why `Disable PIN/Fingerprint/Face unlock`? – Zolbayar Oct 25 '19 at 01:22
@Oaksecurity e.g. perform rm -f /storage/emulated/0/ when "X" message is received by text, effectively launching wipes from SMS/GSM instead of Data/WiFi I find this interesting is there some tutorial where I can learn this? – Mister Verleg Oct 25 '19 at 11:47
1

@Peterverleg Download Tasker, you'll find your way. Pretty simple UI. – OakDEV Oct 25 '19 at 12:35
1

@Zolbayar Because they allow a an attacker to unlock your phone. E.g. face unlock when you sleep or unconscious. Same for finger. PIN is too easy to bruteforce. If your phone has a lockdown mode, these options are viable, but still present a risk (if your phone gets snatched when opened and SIM removed/WiFi disabled) – OakDEV Oct 25 '19 at 17:11
@bain this is mostly true. I'll update my answer accordingly. – OakDEV Mar 04 '21 at 14:37

score 28 · Answer 2 · answered Oct 21 '19 at 16:28

28

Without full-disk encryption, your unencrypted data can be read without recovering the pincode. Enabled USB debugging, definitely, extends the attack surface, but it's not necessary for a determined and skilled thief.

But most likely, they will wipe everything and resell your phone to get the daily dose.

answered Oct 21 '19 at 16:28

Alex Cohn

823
5
7

This is something I've been wondering, they can wipe it, through recovery and the like, right? if they do it then probably fine :) – gtbono Oct 21 '19 at 18:10
They will probably not bother to wipe it clean, just something that will be enough to pursue somebody to pay them. – Alex Cohn Oct 22 '19 at 20:40
2

How does having usb debugging have anything to do with this since usb debugging requires the device to be whitelisted before it turns on and that requires the device to be unlocked. – Qwertie Oct 23 '19 at 00:52
Having usb debugging enabled means that there is one more active service running on your device, and this service listed for external events. There may be no known vulnerabilities for this service today, for the version you have on your device today. Both may change without notice. – Alex Cohn Oct 23 '19 at 18:31

score 21 · Answer 3 · answered Oct 22 '19 at 13:01

21

Without the encryption, your data can be trivially read out using a flash adapter such as this one:

Removing a flash chip is a 5 minutes job on a hot air rework station.

Of course, this assumes that the thief decides that the data on your phone is worth more than they could get by wiping and reselling it. If you have an old inexpensive phone or it has suffered a lot (cracks on the screen / case, broken buttons, etc.) it makes data theft more likely.

answered Oct 22 '19 at 13:01

Dmitry Grigoryev

10,072
1
26
56

I question whether a lower-value phone is more likely to be used in data theft. For one, a thief is likely either to be stealing for physical phones and be unprepared for hacking, or likely to be skilled at hacking and plan on doing that on all their phones. For another, someone with no credit and no accounts is likely to have a cheap phone, whereas someone who could have $100,000 transferred from their accounts without flags being raised sounds more likely to have a very nice phone. – prosfilaes Oct 23 '19 at 03:19
@prosfilaes The thief will be selling their low-value catch for $5 a piece to a hacker who will extract data from them. Many cheap phones belong to elderly but nevertheless rich people, or to poor people who might have rich relatives, and the data from the phone might help with social engineering. – Dmitry Grigoryev Oct 23 '19 at 06:20

score 4 · Answer 4 · answered Oct 21 '19 at 23:14

Flash memory could be read externally by a very determined attacker, but probably a random pickpocket isn't going to bother. Full disk encryption would eliminate that possibility.

An unlocked bootloader would allow simply changing the device password from a recovery environment, but given that your phone's bootloader is not unlocked and bootloader exploits are rare, the worst they can do is wipe it and sell it. Some phones require bootloader unlocking to be enabled after unlocking the device, which should prevent even that. Furthermore, some phones will remember a google account that they were logged into even after a wipe, rendering the phone useless to the thief even if wiped.

score 2 · Answer 5 · answered Oct 29 '19 at 13:27

"I probably had USB Debugging enabled as I developed an Android app in the past and tested it on my device. However I remember that you must trust the computer before using it, so maybe this doesn't make my device more vulnerable?"

Android has had ADB authorization for some time (since Jelly Bean, RTM July 2012).

Source: New Android 4.2.2 Feature: USB Debug Whitelist Prevents ADB-Savvy Thieves From Stealing Your Data (In Some Situations)

Worried about an ADB-savvy thief stealing the precious data off your stolen phone or tablet? Well, Android 4.2.2 makes doing that a little harder now, with the addition of a USB debugging whitelist feature into the OS. The way it works is pretty simple - when you connect your PC to your Android device via USB, Android gets your PC's RSA key (an identifier token). In Android 4.2.2, when you have USB debugging enabled, this now causes a prompt to appear on connection, seen below.

The prompt asks you to confirm that you wish to allow USB debugging from the connecting PC, and allows you to add it to a whitelist such that the prompt won't ask you to confirm for that computer again. So, if a thief steals your phone (assuming you have a password / gesture / face unlock set), they won't be able to get all fancy with ADB and start dumping your personal data onto a hard drive. And that's good. Here's the message a potential thief would get from ADB upon attempting to list a connected device from an unauthorized PC ('offline'), and the message after that PC has been authorized ('device').

The security aspect of this feature relies on a few prerequisites, though, otherwise it kind of loses its usefulness.

First, you obviously need some kind of barrier to entry to the phone: if the thief gets the prompt, that doesn't do you much good. So, your lockscreen needs a password, gesture, or face unlock set up, so the prompt won't appear. That's easy enough, and something many people already do.

The next part may not exactly appeal to you, the Android-tinkering enthusiast. If your phone is rooted, has an unlocked bootloader, or is running custom firmware (eg, a custom recovery like ClockworkMod Recovery), there's a good chance you've created a potential workaround for this USB debug whitelist, and that a determined data thief could still find a way to your precious information. We won't go into specifics, but suffice to say, if your bootloader isn't locked, the USB debug whitelist can effectively be nullified.

This is just one of a number of changes in Android 4.2.2

There was a bug that could be exploited in Android versions from 4.2.2 to 4.4.2 to bypass Android’s secure USB debugging, this allowed attackers to access adb prior to unlocking the device. This bug was fixed in Android 4.4.3.

score 1 · Answer 6 · answered Oct 24 '19 at 18:41

Android versions since 5.0 should encrypt your storage when you first set up the device and choose a password/PIN. Unless you specifically turned off encryption, this is likely the case with your phone. That said, there should be no easy way for the thief to decrypt your data partition without using brute-force techniques. If it's hashed with a value stored in the hardware's Trusted Execution Environment chip (and being 8.0 it probably is, especially if it's equipped with a fingerprint reader) then it's nigh on impossible.

Source: https://source.android.com/security/encryption/full-disk

score 0 · Answer 7 · answered Sep 25 '20 at 20:13

A fully patched android 8 device can't be exploited just by leaving adb-debugging enabled. ADB may run outside of app sandbox but it doesn't have root privilege. A vulnerability in adb can only grant the attacker with privileges of adb shell. Also, ADB daemon doesn't accept adb commands unless the adb client is authorised by the device which requires screen unlock.

What attacker can do is go to either bootloader or recovery mode to reset the device which will erase everything and lock the device with Factory Reset Protection which requires your account credentials to unlock the device.

From android 7 onwards OEMs keep forceencrypt flag enabled in fstab which by default encrypts your /data partition from first boot. So any flash chip programmer won't be able to read and clone your apps and apps' data.

score 0 · Answer 8 · answered Apr 04 '21 at 00:07

0

Can a stolen Android phone with USB debugging enabled have screen lock bypassed?

Yes. And an Android phone without USB debugging enabled can also have the screen lock bypassed.

The details and the difficulty depend on what make/model of phone.

answered Apr 04 '21 at 00:07

hft

4,910
17
32

This is a little misleading; it's not as simple as you make it sound. How do you propose such things can be done? – multithr3at3d Apr 07 '21 at 03:28
I didn't say it was simple. I said it was possible. Have you heard of a company called Cellebrite? – hft Apr 07 '21 at 21:12

Can a stolen Android phone with USB debugging enabled have screen lock bypassed?

8 Answers8