RSA 2016 The official RSA phone app exhibitors use to scan delegate badges contains a hardcoded password allowing the vendors to access the full features of the device, says Bluebox Security's Andrew Blaich.
Vendors at the San Francisco mega-conference expo hall were handed Android Samsung Galaxy S4 phones locked into kiosk mode and intended for use as scanners of delegates' badges.
Lead security chap Blaich tinkered with the app downloaded from the Play Store to power the scanners and found a hardcoded admin password within the software's code. With that password, an attacker could gain control of the phones.
"Using this password an attacker could gain access to the app’s developer mode, root the device, pull any data off of it, or install malware to steal even more data." Which is a bad thing when the phone is used to scan badges that link to a database of security conference attendees.
"If you develop an app, it's usually a best practice to not leave a hardcoded password in your code," Blaich says.
"Just because an app is being used for one of the world's largest cyber security conferences doesn't automatically mean it's more secure."
The password found within the app's code allowed the hackers to access the app’s settings. From there they tapped into the phone's system settings, and were able to activate developer mode opening complete control of the handsets.
Blaich reckons the hardcoded password is a fall-back mechanism in the event the administrator custom passcode is lost.
The app should have contained a defence mechanism that could have detected the activation of developer mode and sent administrators an alert.
That said, the researchers add the security gaffe is "par for the course" in app development.
Blaich's find follows another delegate's revelation that it's possible to clone the RSA badges into other NFC devices, an exploit demonstrated by taking the user identification number and implanting it into a hotel towel. ®