I recently ran across a simple issue in a number of Android devices, especially Huawei phones. Some devices have left input device files (located under /dev/input/
) world readable or writeable. To see your input devices you can read /proc/bus/input/devices
or you can observe events using the standard getevent utility.
Most devices with this issue left the touch screen world readable, leaving sensitive information like passwords, lock screen codes, and other inputs vulnerable to interception by any installed application. Many devices also left a number of other input devices world readable–gyroscopes, compasses, power/volume keys, etc.–but none of these appeared to be exploitable (most were available by just registering broadcast intents.) I did not investigate whether a world-writeable touchscreen input device would allow you to control the touch screen–if that were the case it would allow attackers to perform arbitrary functions on the phone.
Using a testing service I was able to compile an incomplete list of affected phones; however, I couldn’t determine if updates existed to fix any of these issues. The following devices left input device files world readable:
- Huawei Ascend II M865 (Android 2.3.6)
- Huawei Ascend Mate MT1-U06 (Android 4.1.2)
- Huawei Ascend G600 U8950-1 (Android 4.0.4)
- Huawei Ascend P6-U06 (Android 4.2.2)
- Huawei Fusion U8652 (Android 2.3.4)
- Huawei Honor 2 U9508 (Android 4.0.4)
- Huawei Honor U8860 (Android 4.0.3)
- Huawei MediaPad 10 Link (Android 4.1.2)
- Huawei MediaPad 7 Vogue (Android 4.1.2)
- Huawei Mercury M886 (Android 2.3.6)
- Huawei Sonic T-Mobile Prism U8650 (Android 2.3.6)
- Huawei Fusion U8652 (Android 2.3.4)
The following devices left input device files world readable and writeable:
- Coolpad 8150 (Android 2.3.7)
- LG Optimus L5 Dual E615 (Android 4.0.4)
- Samsung Galaxy S II GT-I9100 (Android 4.0.3)
More detailed list here.