SuperSU and Magisk

SuperSU is a superuser access management tool for rooted Android phones. You can learn more about rooting here. It is very powerful and can extend the functionality of your phone by giving you more power as the user.

SuperSU is an app developed by Chainfire and is responsible for granting or revoking root access to the apps on your phone. Many custom roms have their own in built root manager, and some work with apps like this.

To install it, you can either flash the .zip binary in recovery mode or install the app from the Play Store and update the binary through that. Both methods are fairly quick, but the app fails at times.

Once the installation completes, you can reboot your device and you can see that you can now grant apps root access with SuperSU.

This slideshow requires JavaScript.

As you can see from the images above, there are multiple apps that have been granted access and there are logs which show requests. You can also temporarily disable root in order to trick an app.

Another more efficient way to hide root from apps that refuse to run if they detect it is Magisk.

This app patches the phone’s boot image and makes root undetectable by apps that block it.

This slideshow requires JavaScript.

If it doesn’t work automatically, you can check apps that you want hide root from. It is very effective and easy to install, as all you need is an up to date Superuser binary and the Magisk .zip file which you can flash.

As you can see, both SuperSU and Magisk can elevate your Android experience and give you control that you didn’t have previously.

MenloHacks @ Menlo School

Recently, my friends and I decided to attend MenloHacks, which took place at Menlo School in Atherton. We built an app called MusiTapp, which is designed to prevent distraction when doing your homework and an improved way to control your media.

It works by using the accelerometer to detect knocks on the table, just like our other app, Tapioca. We set one tap on the table to toggle play and pause, two taps to go one track forward, and three taps to back a track. This was hard to implement because we needed to figure out a way for multiple knocks to register. Whenever we knocked once, the phone would automatically play or pause and not listen anymore.

To combat this issue, we set up a timer to detect the time intervals between the knocks that would reset every time an action was completed. After we got past this roadblock, our next step was to fine tune sensitivity, so we set up different number parameters for how hard we knocked on the table.

Another feature we are proud of was being able to extract the song’s metadata and then have Android TTS convert that into speech and read it out loud.

We packaged all of this code into our Android App, which we designed according to material design.

We created two buttons, one to stop the service and one to start it. The help button takes you to a separate screen with instructions. To make it easier for the user, we also added a persistent notification so they can see if its running and return to the app with ease.

photo5080443452558256050

At the hackathon, we won the award for best beginner hack. We got a $2000 dollar Maker School scholarship and one year of Wolfram Alpha Pro. The devpost is here Menlohacks II Devpost.

We hope to add features such as IBM Watson text to speech as well as volume control. Also, we want to publish this app on the Play Store for everyone to be able to download it.

CIA Hacking Tools (Android/iOS)

Recently, internal CIA documents were leaked that show exploits and tools that they could be using to wiretap devices that we use everyday. This data was uploaded to the WikiLeaks website under various different branches. The entire leak is referred to as “Vault 7” and contains many zero day exploits, malware, trojans, and viruses created by them.

logo

The various branches include the Embedded Development Branch (EDB), Remote Development Branch, Operational Support Branch, Automated Implant Branch, Network Devices Branch, etc.

Although, there are various exploits for Windows, OSX, Linux, and Unix, this article will focus on mobile operating systems.

iOS-Only

Adderall – A tool designed for pulling files and retrieving kernel cache

ElderPiggy – Tool that can escalate permissions, giving root/sudo access

NightVision – Reads/Records device kernel data and memory

NightSkies – iOS implant that is installed with CrunchyLimeSkies

Mcnugget – Mission Control utility specifically for iOS implants

HAMR – Framework for browser based exploits

DRBOOM – Installer for implants up to iOS 8.2

Android-Only

Angerquake – HAMR related plugins to run remote exploits on Android devices

Orion – Remote exploit for Android devices

Freedroid – Tool that can escalate permissions, giving root/sudo access

RoidRage – Implant/Exploit for Android devices running 5.X (Lollipop) or lower.

There are many more exploits that I have not mentioned, but these are a main few. They just go to show how our data is always at risk, not even from large scale government organizations.

 

USB Killer

One new form of “hacking” is the USB Killer. This is a tiny device that is capable of frying almost anything with a USB port. It uses several capacitors to negatively charge from the device it is plugged into and then discharges all the power from a transistor at once. This entire process is looped until the device does not respond or give out power, which often takes less that 3 seconds.

03-13-15-usb-killer-2-820x333

The various capacitors can charge and deliver up to 200 Volts of negative power. They mainly target the data lines, which can often kill the power lines as well.

This attack has been proven to work on TVs, desktop computers, laptops, phones, and even on cars. The surge can often be enough to fry the logic board or motherboard, which can render the device inoperable.

Some manufacturers such as Apple are beginning to add hardware such as opto-isolaters to their ports. This is a chip that uses light to physically to separate two electrical circuits from each other. USB Type C also aims to solve this problem of electronic surges by requiring cryptographic authentication between the device and the host it’s being plugged into.

As of now, if you want to protect yourself, be aware of what you plug into your computer. If you find a USB stick laying around, don’t plug it in unless you are sure it’s safe. There is a new stealth USB Killer that looks like a regular USB drive, which can be very dangerous. In the end, USB Killers can be very useful for security experts to test networks, but they can cause serious harm if used improperly.

v3