Full Report
Takeaway.com is an online food delivery system. The author of this post found an Android-based kiosk online for super cheap so they decided to buy one. Their goal was a Kiosk escape while using the system to perform various bad actions as an actor. After several deadends, such as using keyboard shortcuts, they found that Android will open apps automatically using NFC. So, they wrote to an NFC card with a particular package name and Android opened it! In their example, they use the Android settings. They used the settings to enable the status and navbar. With this, it's much easier to work on the Android device. Using a file system app on the device, they were able to extract the APK from the device to reverse engineer. They found that 14611 sent the device into a factory test menu and 59047 gave an app launcher that is both hardcoded. Using a male to make USB cable, it would be possible to connect via ADB, since it uses a userdebug ROM in production. This would allow dumping the file system, overriding the OS and many other things. Good jailbreak post!
Analysis Summary
# Tool/Technique: Exploiting Android Kiosk via NFC and Userdebug ROM
## Overview
This document summarizes the findings of an unauthorized escalation of privileges and capability expansion on a Takeaway.com Android-based food delivery kiosk. The primary exploitation technique involved leveraging Near Field Communication (NFC) to launch applications, followed by manipulating system settings and leveraging a pre-existing `userdebug` ROM configuration to gain deep system access, including root capabilities via ADB.
## Technical Details
- Type: Technique (Kiosk Escape/Privilege Escalation)
- Platform: Android (Appears to be Android 6, highly customized for kiosk use)
- Capabilities: Kiosk escape, enabling navigation bars, extracting installed applications (APKs), installing new applications, and enabling developer/debugging features.
- First Seen: October 2024 (Based on article publication date)
## MITRE ATT&CK Mapping
This attack primarily focuses on initial access and privilege escalation within a locked-down system.
- **TA0001 - Initial Access**
- T1566 - Phishing (Indirectly, by using a physical device purchased, but the *entry vector* is physical/external configuration)
- **TA0004 - Privilege Escalation**
- T1548.002 - Bypass User Account Control/Other Authorization | Bypassing Kernel Protection
- **TA0005 - Defense Evasion**
- T1574.001 - Hijack Execution Flow: Component Object Model Hijacking (Attempting to use NFC/Settings to hijack intended behavior)
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Boot or Logon Autostart Execution for installed launchers/apps.
## Functionality
### Core Capabilities
- **NFC App Launching:** Writing a specific Android package name to an NFC card allowed the system to automatically launch the target application upon scanning, effectively bypassing the locked kiosk interface.
- **UI Re-enablement:** Launching the Android Settings app via NFC allowed the attacker to navigate to the kiosk menu and enable the **Status and Navbar**, restoring standard Android navigation functions.
- **File System Access & APK Extraction:** Using re-enabled navigation and subsequent file manager access (obtained via a second targeted NFC launch: `com.cyanogenmod.filemanager`), the attacker could browse storage, copy files, and install arbitrary APKs.
- **System Code Access:** Through hardcoded values identified in the system:
- Code `14611` grants access to a **Factory Test Menu**.
- Code `59047` grants access to an **Admin Menu** containing an app launcher.
### Advanced Features
- **Firmware Analysis:** The attacker downloaded and analyzed the full firmware update package, identifying crucial constants, including the centralized update URL.
- **Root Access via Userdebug ROM:** The device shipped with a `userdebug` ROM, meaning that standard ADB debugging and access commands, which typically require rooting on a production (`user`) build, function out-of-the-box, allowing for filesystem dumping and OS overriding.
- **Physical Access Vector:** The potential to connect via ADB using a male-to-male USB cable (or soldering to test pads) is identified as the ultimate means to achieve root access due to the ROM configuration.
## Indicators of Compromise
*Note: As this is an exploitation technique rather than established malware, IOCs focus on the identified software artifacts and system interactions.*
- File Hashes: N/A (No malicious payload hash provided, only legitimate system files analyzed)
- File Names:
- `com.cyanogenmod.filemanager` (Package name used to install a capable file browser)
- `system.new.dat` (File extracted from the firmware image)
- Registry Keys: N/A
- Network Indicators:
- Update Domain: `update[.]gronic[.]com` (Used for firmware distribution)
- Communication Protocol: MQTT (Used for update URL communication, not exploited directly)
- Behavioral Indicators:
- NFC tag scans triggering application launches (not default Android behavior).
- Successful execution of system intents/activities outside the intended kiosk workflow.
- Inputting hardcoded values (`14611` or `59047`) into designated input fields.
## Associated Threat Actors
This activity appears to be **single researcher/hobbyist exploitation** aimed at modifying or "jailbreaking" the kiosk, not attributed to organized cybercrime groups or nation-state actors.
## Detection Methods
- **Signature-based detection:** Not applicable without known malware payloads.
- **Behavioral detection:** Monitoring for unauthorized execution of system intents triggered by NFC broadcasts, or unexpected app installations on a kiosk device.
- **System Configuration Auditing:** Detecting the presence of a `userdebug` build configuration on a supposed production device.
## Mitigation Strategies
- **Disable Unnecessary Hardware/Interfaces:** Disable NFC functionality if not strictly required for the kiosk's intended operation.
- **Secure Build Configuration:** Ensure production devices ship with a `user` (not `userdebug`) ROM variant to lock down ADB access and SELinux contexts.
- **Restrict App Installation:** Implement strict controls (e.g., using Managed Device/MDM policies) to prevent sideloading of APKs via file managers or external storage.
- **Secure Input Mechanisms:** Restrict access to settings and diagnostic menus. Remove or change hardcoded access codes if they must remain present for serviceability.
- **Disable Debugging Features:** Ensure system properties that enable ADB are disabled or restricted in the production configuration.
## Related Tools/Techniques
- **NFC Exploitation:** Using NFC to deliver payloads or trigger actions (similar to NFC phishing, but used here for legitimate Android intents).
- **Kiosk Breaking:** General techniques used to bypass lock-down software on Android terminals (e.g., leveraging IME switching, system settings access, or exploiting vendor-specific hotkeys).
- **sdat2img:** A known utility used to process Android firmware images.