Mobile and IoT device manufacturers continue to ship products with the Android Debug Bridge feature automatically enabled -- a dangerous default setting that enables potential adversaries to connect to these devices.
The ADB feature lets developers communicate with devices remotely, listening for traffic via port 5555. "This is highly problematic as it allows anybody -- without any password -- to remotely access these devices as ‘root' -- the administrator mode -- and then silently install software and execute malicious functions," warns infosec expert Kevin Beaumont in a blog post he published last week.
During the course of Beaumont's research, he found myriad devices left vulnerable by these risky deployments, including tankers in the U.S., DVRs in Hong Kong, mobile telephones in South Korea, and an Android TV device in an unspecified locale.
A recent look at Qihoo 360's Netlab data showed nearly ten thousand unique IP addresses scanning port 5555 during a given 24 hour window, Beaumont continues.
Last February, researchers identified a new threat in ADB.miner, a wormable cryptomining malware that abuses enabled ADB settings to spread in peer-to-peer fashion across multiple devices such as mobile phones, media players and smart TVs. Inspired by Beaumont's investigation, fellow researcher Piotr Bazydlo, head of the R&D Network Security Methods Team at NASK, reports that 40,000 unique IP addresses were found impacted by ADB.Miner on June 4 and 5 alone.
"Summing up, vendors need to not ship products with Android Debug Bridge enabled over a network -- especially when they are designed for internet connectivity," Beaumont concludes. "It places the customers in harm's way. Vendors who have done this should issue product updates to remediate the issue, and if automatic updates are not an option they should contact customers to ask them to update their software."