How to hack Tesco’s Android Hudl

This hack attack demo shows you how flawed the Hudl and its Rockchip are, and how to access and read from its memory, to grab passwords and other credentials.

Welcome to the Security Kitchen. My name is Ken and I’m going to be showing something we demonstrated at the Infosecurity Europe 2014 show earlier this year.

We’re looking at some issues with the Tesco Hudl. It’s a really cool device and only £120. You can buy this entry level Android hardware from Tesco, but unfortunately with cheapness comes some problems with security.

Rockchip

The Hudl itself uses the Rockchip CPU, we’ve got a picture of one up here. This is actually one from a TVB device, so we stripped that down. We didn’t want to strip down the Hudl as it still works. So what we’ve got here is Rockchip. Now, there’s a big flaw here, a big security flaw. When you get Rockchip into flash mode, in order to upload new firmware or to unbrick a device, you expect to be able to write to it. The problem with Rockchip’s flash mode is that you can also read from it. That means that you can read memory from a locked device.

Here is my Tesco Hudl, one I prepared earlier, and the first to do is get it into flash mode. There is a bit of an art to this, Hold down the volume up button and take a dibber, the end of a paperclip works fine, and insert it into the reset port on the back of the device. Hold it like that for a few seconds, then release the dibber, and then release the volume up button.

rkflash

There are a bunch of clever guys who’ve created a cool tool that allows you to connect direct into a device using a micro USB cable and allows me to view it in a Kali image. The tool is called rkflash and you can get it direct from Sourceforge.

So now we can see that I’m talking direct to the device’s memory. The key thing here is the start of the user data partition. That address is where the interesting information is likely to be. I’m going to start reading now, by first giving the tool the address of that user data partition. To prove the point I’m going read the first 1,000 bytes direct from memory and pipe them out to a temporary directory. Downloading the entire memory could take around two hours. Anyway, you can see that I’m already reading it. We’ll dump that into an image and I’ve already mounted that. So I’ve got my scrape, I’ve got the memory, and I’ve got it into an image so I can show the information that I’ve retrieved.

Find the password hashes

One of the easiest places to start is to go to the system directory and from there look for password hashes. …and there we go, the hashed PIN for this Hudl. That password is hashed with MD5 and SHA-1 so you could crack it with Hashcat. Given almost all PINs on these devices are numbers it would not take long to crack.

OK, because it’s hashed there is some security here, so I’m going to look for something a little more interesting. I’m going to try and find the WiFi key, the WA keys. There you go, we’ve got the WPA key, the SSID of the access point it’s associated with, and the pre shared key is stored there in plain text. I think that is terrible. What can you do about this? Frankly not a lot right now. We’d need to see a change in the way Rockchip handles its flash mode which is down at the hardware layer.

At the moment the Hudl really isn’t suitable for putting any sensitive data on, entering passwords into browsers for example is asking for trouble. If its stolen, PIN locked or not, someone can get all your data off it.