We knew this would happen, didn't we? Discovering security flaws at the annual RSA conference in San Francisco. When thousands of security professionals gather, of course we've got to search for ironic flaws in the conference itself. It turns out that Bluebox Security didn't have to look far; they just had to glance down at the badge hanging around their neck.
"If you develop an app, it's usually a best practice to not leave a hardcoded password in your code," a quote from the Bluebox Security blog sums it up pretty perfectly.
The researchers made the discovery after vendors were given an Android Samsung Galaxy S4, which was locked in "kiosk" mode. The mobile device was designed to help vendors keep track of booth traffic and potential leads by allowing them to scan attendees' badges. The app was only supposed to unlock (from kiosk mode) for administrators who know the password. There was just one problem.
"After finding the third-party, kiosk mode-enabling app on the Google Play Store, we downloaded a copy and reverse engineered it. We wanted to see if there was an easily found bug or attack vector to get into the device's system settings. Much to our surprise (to gain access) and also frustration (for app security), we found a default password embedded in plaintext in the kiosk app's code. When we used that passcode we were able to gain access to the kiosk app's settings. This, in turn, let us gain access to the device's system settings, which then enabled us to put the device into developer mode to gain full access to the device," research from Bluebox reads.
Well that's not comforting. As Bluebox pointed out, if they can do this with such ease, a criminal can too. Luckily no data was stolen (at least that anyone knows of), but the issue sheds light on the bigger problem of mobile security.