Vendors are shipping Android devices with open port setups that leave countless products open to attack.
The port, 5555, is at the heart of an Android feature called Android Debug Bridge (ADB).
This is a feature which allows developers to communicate with devices remotely in order to control a device and execute commands, and is generally use for diagnostic and debugging purposes.
While ADB has a very real and genuine use for developers, unless secured properly, ADB also paves the way for unbridled attacks.
It is down to vendors to make sure the port and ADB are properly secured at shipping, and by default, devices should not have ADB enabled. However, many companies are failing in this responsibility.
This is nothing new, however, as security researchers from Chinese cybersecurity firm Qihoo 360’s NetLab noticed the lax security practice back in February.
The security researchers discovered that a worm, dubbed ADB.Miner, was exploiting the ADB interface to spread cryptocurrency mining malware and hijack victim devices for the purposes of cryptojacking.
Smart television sets and mobile devices were believed to be most at risk of the worm, which in only 24 hours managed to spread to roughly 5,000 devices.
Now, security researcher Kevin Beaumont has once again brought the issue to light.
Beaumont said in a Medium blog post that everything from US tankers to DVRs in Hong Kong and smartphones in South Korea has been left vulnerable by vendors.
TechRepublic: Android P: Cheat sheet
“This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’* — the administrator mode — and then silently install software and execute malicious functions,” Beaumont says.
The researcher also noted that while root access should not be available in non-development builds, a bypass does apparently exist on some devices.
Unfortunately, threat actors appear to be well aware that this security oversight is so widespread.
It appears that thousands of unique IP addresses are scanning for the open port in any 24-hour window at present, with a massive surge in port 5555 scanning recorded from 1 February 2018.
“It is worth keeping in mind that because of Network Address Translation and dynamic IP reservations it is difficult to know the exact number of devices. But it is safe to say: “a lot,”” the researcher added.
Prompted by the renewed interest in the ADB issue, the Internet of Things (IoT) search engine Shodan has added the capability to look for port 5555. Indexing is still taking place, but the number of exposed devices has surged to over 15,000.
The majority of exposed devices are in Asia, including China and South Korea.
“These are not problems with Android Debug Bridge itself,” Beaumont said. “ADB is not designed to be deployed in this manner.”