Using implants for hacking phones
  • t3chn0ph1l3t3chn0ph1l3 February 1
    (Edit: Updated title for accuracy)

    Hello all,
    First post here, and I don't use forums much. (usually strictly a lurker/troll/etc.)

    tl;dr: I was able to hack a phone with my NFC implant and another phone.

    I was reading a bit into this thread, and it got me thinking: What about the opposite? How could I use my shiny new NFC implant for hacking?

    So here goes.

    A rough outline of the use-case of using NFC for hacking:

    First was the implant which is common enough of a conversation.
    (I'm using xNTi from dangerousthings)

    Attacker uses a special linux distro ported to an android phone to generate a malicious APK file for android in one click. 
    (this file listens to a specified IP address for connection/commands.)

    Attacker sets the connection IP address to listening server, where Attacker would have an interpreter listening for inbound connections.

    Attacker uploads the file to some web server, possibly self owned webserver or a free webhosting service.

    Attacker copies the malicious APK direct link over to the implanted tag and sets off to have fun.

    exploitation is now as easy as asking someone to use their phone to make a call and hitting the chip to initiate a download. Install, and give the phone back*. (payload running silently in the background.)

    (There are many factors dictating success here like the funny look they'll give you when you're rubbing your phone on your hand, and the phone's security implementations like the newer samsung knox** which will recognize and quarantine the malicious code. I haven't come across an NFC compatible phone that has any sort of security on the tech.)

    Once installed, the server and the infected device establish a link and from there, the attacker can wreak some serious havoc.
    (dump texts, call logs, pics, whatever (*delete the downloaded apk file and clear the url from history))


    *If the attacker has some deft hands, Attacker may be able to delete the apk and clear the URL before giving the phone back without raising suspicion
    ** The newer samsung knox will detect the generic payloads if you do not craft them all crafty like :P

    I've tested this on a few phones and it works great!



    If you have questions, ideas, etc. let me know, I'm all about freedom of information and I will tell you whatever I know.

    (moving forward, I'm trying to create some shellcode that is small enough to be written to the chip for an ultra small single tap payload.
    if anyone knows of people fuzzing NFC for vulnerabilities please let me know, or let them know I'm looking for them.)
  • actiiactii February 2
    Real neat, not sure how useful it would be unless you are a spy. I just have one question, why? Welcome to the forum by the way.
  • IvoTheSquireIvoTheSquire February 2
    Question: what are the advantages of this over than hacking with just the phone (assuming that it is possible)? I have no idea about computer hacking so just curious.
  • t3chn0ph1l3t3chn0ph1l3 February 2
    @actii Thanks! 

    Edit: Apparently I can't answer both questions at once haha

    The reason would be that I'm super into cybersecurity and finding loopholes in systems. The advantage of this approach is that it cuts out a lot of time where you might bring up red flags in the victim. Imagine asking to use a phone and typing away on their keyboard, they'll probably want to see what you're doing. This also requires you to remember the url (which would be easier if you use a shortening service like tinyurl).

    using the chip with the link on it circumvents a lot of potential awkward interaction.
  • t3chn0ph1l3t3chn0ph1l3 February 2
    @IvoTheSquire I'm probably doing this wrong but it doesn't seem to be letting me reply directly to you.

     If you were only using the other phone, you could pull off the same procedure, however it would require much more pretexting and technical prowess and has a greater chance of failure. (maybe you could break their bluetooth PIN since nobody I've seen changes that)

    an example of social engineering for exploitation:
    *see stranger on street*
    "Hey, I just got a call from my mom, she's in the hospital but my phone died before I got the room number, can I use your phone to call"
    *victim hands over phone*
    /activate chip
    *Hold phone to head while loading webpage, maybe pretend to talk*
    *Tap install and swipe away notification*
    "Thank you so much!"

    Before the implant, you would have to develop some sort of pretext in order for the person to let you start hacking away and be ok with it.

    The reason phones are such a target is because most people don't update them very frequently which leaves bugs like Stagefright available for use.

    Stagefright can infect other phones via text message.

    you can send texts from the phone once it's exploited, to all contacts. and send from those phones once they're exploited.
  • UmutofUmutof February 11
    would you be able to provide the apk you used?
  • LelouchLelouch March 27
    What distro did you use and what did you use to develop the payload? (unless you made it yourself).