◀ maker
 

Cerberus anti-theft – an exploit allowing you to access any device

cerbeus

You may or may not have heard of Cerberus, an anti-theft application for Android devices. Cerberus allows you to remotely control your device if it has been lost or stolen. Features include: locate and track your device, start alarms, get a list of recent calls, download SMS messages, take pictures, record video, record audio and much more – all of which is done discreetly without the “thief” knowing so you can track your phone down and attempt to recover it. Pretty cool, right? Now imagine if anyone could access your device and listen to your conversations. A security hole in Cerberus allows just that.You may think Cerberus is pretty secure. You have a username and password, which only you know, similar to Facebook and practically every other website out there with a login system. 99% of the time this is fine and accepted standard for authenticating yourself. The problem here lies with what’s going on behind the scenes. When you login with your username and password the Cerberus API replies back with a “device ID” which is a seemingly 15 digit randomly generated number, this id is then used in subsequent requests and used to “authenticate” you – that’s right, your username/password aren’t used past the initial stage. Upon further investigation it turns out that this number is your devices IMEI number.

Go To Source
comments powered by Disqus
17 Aug
Al Sutton @alsutton
RT @pof: Cerberus anti-theft - an exploit allowing you to access any device - http://t.co/uUrCnws7bW
17 Aug
Richard Minerich @rickasaurus
RT @killerswan: your weekly reminder that passwords are hard to get right: http://t.co/uCe4fyJt3a (and surveillance is a double-edged sword…