Topic: Hacking a Samsung S3 to recover a Bitcoin wallet (Read 531 times)

This is quite a story, I believe the reason why they could even gain access into the phone was because the phone is a very old one, and its security components are not as updated as the phones that are being produced nowadays.
This made me remember an experience I had with Samsung A30, a friend of mine bought the phone from someone he didn't know, after resetting the phone to its factory mode, the phone became totally unusable, it was asking my friend to sign in with the email and password that the first owner registered the phone with, my friend did not know the email address neither does he have a clue what the password is, he had no means of contacting the person he bought the phone from, he later brought the phone to me, me thinking the issue was minor decided to buy the phone from him, I thought a simple flashing and reinstalling the phone OS would fix the problem, but surprisingly, after several flashes and reinstalling the phone's operating system, the issue persisted, I later contacted an engineer who after checking the phone, told me that the phone is permanently locked and its only the first owner who has the key to unlocking it.

And also would add that we all should learn to follow our investments up, don't just invest and abandon it, i believe that if the guy in the story followed the his investment up, at least, checking on a monthly basis, he would have be able to get his Bitcoins from Bit Blender before they shut down.

I think that modern biometric passports all contain 3d scan of human head and eyes, so if anything would to happen with that documents you know what would happen, and we all know how (un)professional governments can be for security citizens private information.
Simple hacker attack could gain access to all data, and I think China recently had one major leak with all information from millions of people being sold online.
Biometrics can be copied.

There is Forbes video from 2018 showing that 3d printed head model worked for unlocking smartphones:
https://www.youtube.com/watch?v=ZwCNG9KFdXs

I know, and I was talking about overall security, not just about bitcoin sats.
Problem is that once your biometric data is leaked you can't unfix it, unless you make drastic plastic operation, or making something stupid with your body like Black Alien Project did (search that term on youtube).

Yes, but as you can see, 3D printing someone's head in a fairly accurate and to-scale way is a lot more involved than someone might assume (e.g. assuming a printed image suffices - a lot easier to acquire and produce).

Of course, nobody should store a big percentage of their wealth on a mobile phone in general, but I do think that Bitcoin's purpose is to be used and that using it through a mobile phone makes it most accessible for the vast majority of people. So holding a 'wallet-sized' amount on a mobile phone directly or on a hardware wallet that you use with a mobile phone, would be something I endorse, as I like to see Bitcoin be used and not just stored for decades.

In the rare case that you are the victim of a targeted attack (i.e. whoever steals your device has access to a 3-dimensional model of your face or a picture of your fingerprint), for one, you have a bigger issue on your hands than worrying about a few sats, and secondly you can go home, take your seed words, and may be able to sweep the wallet before the attacker manages to do that first.

It's not really that hard to trick those biometrics, both for fingerprint and for face scans even for newer smartphone models.
I could come up with few ideas using right materials (3d printed head comes first in my mind), and I even saw bunch of cases on internet with new phones being unlocked by twin brothers/sisters, so it's far from perfect.
I don't like biometric protections and I wouldn't suggest them for smartphones or hardware wallet protection.

It depends heavily on the implementation. I remember years ago when the first smartphones added face unlock, it was indeed possible to unlock them with the user's profile picture from a social media account, even without printing it on paper.
Nowadays, at least on iPhones, you do need a three-dimensional model of the victim's face, since it's not just a picture match, but infrared dots are projected on the face, which allows the device to map the 3d texture of whatever is held in front of it.

As for fingerprint locks, I've been reading for years that this protection can be bypassed very easily, without having to cut off someone's finger or something similar. However, you need a picture of the victim's fingerprint and some glue.


When it comes to hacking protection using facial recognition, experts say that in most cases it can work with a simple photograph of the victim. In most commercial software, the technology is not so advanced that it can distinguish between a living person and a photo.

I was wondering, how easy could it get years from now to bypass a fingerprint or face scan?  I still think the safest and most secure one is by using a password instead of PIN, face lock, fingerprint or pattern.  A strong password seems the safest option for both long and short term.  Plus, I had even extremely long passwords on my phone's lock screen before and after a few days, at most weeks, you get used to typing it out really fast if you wish.

Unless a backdoor exists (I remember there was a story about FBI breaking into iPhones years ago?) or some vulnerability that makes even the strongest password an easy break through.

-
Regards,
PrivacyG

Yes, be extra extra careful with any 'hacking tool' or 'unlocker' type software in general. In most cases, what's going to be hacked (if anything) is your own machine.

There are even reports about legit / real hacking tools being reuploaded with trojans in them:
Hackers are getting hacked via trojanized hacking tools

I know that, but I was talking about proper Chinese brands like OPPO, Huawei, Meziu, etc.

Let's just say that if you are involved in any kind of criminal activities, you shouldn't carry your smartphone with you when you are spending time with or talking to your criminal syndicate. And consider everything you have ever stored on your phone as retrievable in many cases. 

Based on the image from your source the UI is different from what I used before and the tool that I used before only supports Samsung phones and no Chinese phones the UI background is black and only has 3 buttons that exactly what I remember I got them from repair phones/mobiles forum or maybe in XDA forum.


I think yeah he knows the easier way based on his video he is using the medusa box which is a well-known tool for phone technicians I don't think if it's hacking that's the normal use for that box and can be bought for around $40 to $50.

This is the only way he could make longer promotional video like this
I am sure he knows about easier way to break into phone but since he didn't find $6M like in his clickbait title, he needed to create some drama.

Hahaha so much about security and safety for your super-smartphones   and btw all phones are manufactured in China.
I bet someone created similar one-click software for breaking regular pins and passwords, and you can only imagine what real hackers and gov agents have in their toolboxes.
I have few old chinese smartphones and I may test if pattern breaking works for them.

I searched around a bit and I did find a software with that name. One Click Pattern Unlock v3.0.2 seems to be the newest version. Could it be that one? I don't recommend anyone to download or install the software on the below links unless you know what you are doing! I am just posting it as a reference. Use it at your own risk!

https://firmwarecare.com/one-click-pattern-unlock-v3-0-2
https://cruzersoftech.com/one-click-pattern-unlock-tool-v3-0-2-free-download-working-100/

There is also a YouTube video that shows how a similar software works but it's mostly for Chinese brands. However, Samsung is also on the list.

Actually, you don't need to root the phone you can use a tool/software that can bypass patterns temporarily without data loss.

I have experience with my old Samsung phone before it can easily bypass using a tool I can't remember the name but they called it a one-click pattern removal tool. It was an old tool since 2015 and it is very useful for temporarily bypassing patterns. But the only problem is it is not permanent every time the screen is off the pattern will popup again.

The only problem with Joe is he did disassemble the unit and make some jumper it could be for tx, rx and gnd or jtag pinouts to directly have access to nand/emmc data. But it's too much work compared to using a one-click pattern for removing the pattern temporarily and then you can able to do what you want to like accessing the wallet and then back up the wallet.

If you root your phone, you may be able to dump all data partitions to a desktop/laptop.
Then, later, you can scan these partitions with keyhunter to recover private keys.

For attacks like this, where memory is copied directly out of the device, what matters is if the data is encrypted. I have no idea whether the Mycelium application encrypts the seed with the password or if it's just a protection to be able to open the app, with the seed still stored unencrypted on disk.

According to Walletscrutiny, Mycelium provide reproducible open-source builds, so this is something that can be checked in their code.

As long as Windows 10 and 8 are still supported by Microsoft, they should all get the same security updates. After that, the old versions indeed, automatically become less secure. For instance, ATMs still running Windows XP are a big security concern and some banks pay insane sums of money for Microsoft (or other companies) patching XP for the latest vulnerabilities.

Also, newer operating systems will get new security mechanisms, such as I've shown with iOS and Android introducing ASLR at a certain point in time, which automatically makes anything older, less secure due to just not having ASLR.
The other two points don't relate to security, but privacy and serviceability which are different topics. I prefaced my previous statement by saying that security and privacy don't always (have to) go in tandem.

Oh absolutely! I love clean, open source machines with as little bloat as possible, too; just like simple vehicles without unnecessary loads of electronics in them. But again, that's another topic.. But operating systems do get more secure (big picture) overall. What else do you think security professionals were doing in the last 10 years?

I was not speaking literally, and I was saying that releasing new things doesn't mean they are better in any way.
Companies often release new consumer stuff every year only for profit and not for improving security, privacy and anything else.
Just compare computer processors from 2012 to 2022, you only have two or three serious jump in performance/security, while all the rest are only cosmetic changes.
As for Win11 I could argue that security is also lower on Windows 11, than on older windows or linux operating systems, because you can't disable some hidden services that are enabling backdoor access, but that's a different topic.

Joe is the hacker. The client who forgot his swipe patterns is Lamal or something like that. But anyways, yes it would be safer. Besides breaking the gestures pattern, Joe would have to find a way to bruteforce the wallet password and I doubt he would succeed with that unless Jamal used something like 1234.

As you said yourself, those are privacy concerns, not security concerns. A security concern would be someone finding a vulnerability in the OS to break into your PC, online accounts, or anything else on your computer due to vulnerabilities in your Windows installation. Microsoft and other third parties spying on you is bad for privacy, but it doesn't necessarily make your security worse. If Windows 11 is also worse in terms of security than Windows 10, that's a different topic.

Ok, so we know what is not safe to use, but what exactly smartphone models would you suggest to average Joe who cares about privacy?
Maybe there are some extra steps anyone can do to improve security, maybe using Google Pixel or some other smartphone with custom ROM or what?

Ok, let me give you few examples that are not directly connected with smartphones but can be applied for them as well, do you think that Windows 11 is more secure than Windows 10 or Windows 8 OS?
- I think that each new windows os is worse and it provides less privacy than previous versions.
Second example, do you think that modern laptops are better and more secure than proven older modular laptops?
- New laptops are mostly not modular, you can't replace or fix anything yourself, and they are made from cheaper materials.

New stuff is not always better, and it often times just opens a big new can of worms after each new releases.
Yes I know Linux OS doesn't mean something is safe, but I just want clean open source stuff without extra crap on top.

Would in this case not be a lot safer if Joe had his Mycelium wallet locked by a very strong password?  I personally have my phone locked with a pretty easy password for quick access, but all my Cryptocurrency apps are secured with very strong passwords so in case my phone is ever stolen, they can get some data off it but not my wallets.

Also.  We have to take something into account.  What is today safe may not be safe tomorrow.  We have way too many examples of things that used to be considered safe but later on were found to have crucial security flaws.

-
Regards,
PrivacyG

It's not just about fixing bugs; these are actual completely new security mechanisms that can kill whole 'families' of attacks and make certain things completely impossible.
Do keep in mind I wasn't comparing smartphones (basically small computers) to 'dumb phones'; obviously, if your phone doesn't even have an internet connection, and no way for users to download and / or install things, it massively reduces the attack surface and also the attractiveness for an attacker. I think that's pretty obvious.
But it's just a fact that a modern (2022) smartphone will be more secure than a 2012 smartphone.

Regarding Linux on mobile: do keep in mind that 'open source' doesn't equal 'secure'. It's a fallacy I come across often in 'Linux circles'. There are papers and studies about this, that have shown how a mobile OS built from the ground up with sandboxing, secure boot with hardware root of trust and no built-in way for escalating privileges, running on an SoC is much harder to attack than a box-standard Linux install on a general-purpose laptop. So there is a tradeoff between privacy and security; privacy and auditability of the code doesn't equal security.
It's highly probable that Linux phones of today are less secure than iOS and Android devices.

Sure; PINs aren't that secure either, I'm just saying they are more secure than patterns in the real world, e.g. due to low-tech 'shoulder surfing' attacks being much easier.

I have spend 15 years in GSM reverse engineering and still continue.
S3 I9300 Exynos chipset base very first phone which that time was hot. data was not encrypted until android 4.1 released that's also optional.
Currently all latest android smartphones use FDE(Full disc encryption) so data is by default encrypted.
Apple devices X and older are considered unsafe & unsecure due to bootrom exploit.(data is encrypted but bruteforce possible for simple phone lock codes.)
Mediatek cpu base all phones are considered unsafe & unsecure due to boot rom exploit. (FDE can be dumped rpmb key can be dumped)
spreadtrum cpu also most used this days can be dumped if correct FDLs are available.

Some android vendor even use hidden signed message to unlock your phone via OTA . (everyone know this for FBI & NSA.)

They are possibly safer and they fixed some bug and flaws that was found in older devices, but in the same time they are opening bigger windows for exploits, because they are adding more stuff in new devices.
For example, old phones had simple function to call, receive calls and send/receive sms, modern smartphones have all kind of stuff inside.
Until I see actual everyday working smartphone with Linux OS, I will have my suspicions about them.
Custom ROMs are ok, but not there yet.

I didn't research this topic deeper so it's possible, but brute forcing PIN is not as hard as you may think, that is if you have correct tools and knowledge.
I just heard that Chinese government was hacked and millions of people information got leaked and it's selling on darknet forums.
If hackers can hack this, why would I think it's so hard to hack simple PIN code

It's important to discern between 'trust' as in 'trust that there are no backdoors and other shady stuff going on' and 'trust that the actual security is getting better'.
As for the former, I can't tell you any more than anyone else here. Regarding the latter, there is plenty of open, public evidence that newer smartphones are absolutely safer than older models. An example is the standard full-disk encryption that was added after the S3 era, which is an exceptional improvement and would have made Joe's attack impossible without a lot of extra steps.
Other aspects such as ASLR were also added to the majority of computers and phones in the last decade, which had a substantial impact on the level of difficulty required to perform various types of attacks.
Actually, if you 'trust' (refer to the first topic I touched upon) the biometric sensors on your device not to leak the data off the device, it's a good idea to use a strong alphanumeric passphrase and unlock the device with biometrics 99.9% of the time. In case you need it, you can use the passphrase similar to a seed phrase backup that is well protected somewhere.

There is actual research that proves gestures to be weaker than PIN codes. It sounds silly, but e.g. increasing the default length from 4 to 6 on iOS also made it substantially harder to brute-force PINs.

The ending was disappointing because of the recovered amount, but the steps that led to the coin recovery would be the same no matter the balance of the wallet. The $6 million number is partially a clickbait since he wants people to watch the video. No one would watch a hacking video titled how I hacked a Samsung phone and recovered $80 in Bitcoin. But the other reason for the title might have to do with the information he was given by the owner who believed that he had enough coins to be considered a millionaire. We saw how that worked out.     

This was interesting video to watch but spoiler alert, ending was very disappointing and title was again just a clickbait commercial self-advertisement campaign from Kingpin.
I guess he earns a living like this so I can understand him, but why saying fake $6 million number in the title  

I honestly didn't know how insecure gestures are, but I generally don't trust modern smartphones at all.
People think that newer smartphones are safer, but I think that opposite is probably closer to truth.
Using strong password for phones is not a great idea, unless you want to type it every time device gets locked, and that is time consuming and boring.
I don't think that PINs are much stronger than gestures, and I am sure most smartphones have similar hidden backdoors giving them easy access if you know what you are doing.

 

I am not sure how accurate this information is, but judging by the source, Samsung S3s aren't using data encryption by default. But they do have encryption software built in that allows users to encrypt user data and the content on SD cards. The owner of the S3 in the video surely didn't use these security features, which allowed Joe to copy all the data in unencrypted form.

Interesting! Since some people asked: this only works if the flash storage chip is not encrypted. Modern mobile operating systems encrypt the flash storage using various types of full-disk encryption, similar to DM-Crypt on Linux.
That's part of the reason why cold boot attacks are nowadays interesting, because they allow to read from RAM (where you can find unencrypted data and keys) instead of flash storage (which only contains encrypted data).

I'd add to the list: create backups of your mobile device. This may or may not help if the device PIN is lost, but it will help in case of device loss or destruction.
The great thing about mobile wallets and phone backups is that as long as you made a single backup after having created the wallet, you will be able to restore those funds.
Even though restoring a very old backup is often seen as useless due to losing all the recent data, if you can restore the wallet, it will obviously contain all of the coins; even ones received long after the backup creation.
I know; nothing groundbreaking, but a little interesting thought I came up with a while ago.

You're correct, today Android[1] and iOS[2] use encryption by default. With this method, he also need to figure how to decrypt the file or disk (depending on encryption method).

[1] https://source.android.com/security/encryption/
[2] https://support.apple.com/guide/security/encryption-and-data-protection-overview-sece3bee0835/web

At some moments it seemed to me that the owner was not actually the owner of that phone - because the swipe pattern was very obvious and simple and actually consisted of the initial letter of the owner's name (L) - and it is even more strange that the man does not remember anything at all, so the story about a possible $6 million turned into nothing more than the discovery of some dust.

As for hacking, I can agree that with enough time, knowledge and the right equipment it is possible to do almost anything - especially at the level that exists when it comes to state agencies that deal with it. One of the famous politicians/criminals from my country threw his smartphone into a fairly large river in an attempt to destroy evidence, but the phone was found and all data was saved - it seems he had a waterproof device

Luckily, that lack of security can be exploited for good as we can see from this particular example. If the swipe pattern security was impossible to break, the recovery would have never worked. Too bad that the final sum was such an insignificant one though.

---

What I find unbelievable is the fact that the owner totally forgot that he sent his coins to BitBlender. And why did he need to do that in the first place? He obviously knew nothing about Bitcoin even when he purchased it. Too bad.

This is a very interesting story of Joe. Joe really tried for the owner of the coins. Joe is a very good and expertise engineer (repairer) if not all the data of Samsung Galaxy S3 would have been gone forever. That is I advise people to store their seed phrase in hardware like washer or Coinplate or any other place which the keys can be stored. Keeping keys in a phone without backup is very dangerous. Because human being is not a computer that has already been programmed to always carry out a specific task without making a mistake. Human make mistake and forget How it started and where it ended. Just like the owner forgot how the swipe started and where it ended. I thank the engineer for recovering the money for the owner.
Making multiple backup of the keys is also good but that is also dangerous as well because you might keep a seed copy at a particular place and forgot to remove it from there and someone sees it and take. The person will use it to transfer all your coins.

Although impressive as @mk4 said it's an outdated OS on outdated hardware.
@NotATether is correct in that gestures as lock codes are insecure, but on more modern hardware and OS some things are not possible to be obtained as easily. Sometimes it's just better programming. As in the hash is generated based on a time when the phone is powered on for the 1st time. NOT on a predefined piece of information.

Think about it this way. In the old days you had a fairly easy to pick lock on your car and hoped that the annoying sound of your car alarm would stop someone from stealing your car. Then we got security keys, which helped somewhat but after a while they were defeated too. Now we have a RFID tag in the key and a separate transmitter and receiver in the key that has 2 way communication with the security module in the car. So the BCM (body control module) talks to one thing and the security module talks to another. Stops the more casual thefts but not the pros.

-Dave

How about Don't use gestures as lock codes in the first place?

I'm not kidding. Gestures are extremely insecure, not only from a user perspective where another bystander could look over your shoulder and remember the patten, but also from a cryptographic point of view.

This is how the hash of the gesture is made:


These numbers correspond to the dots on the pattern screen. Each number is converted to the byte representation from \x01 to \x09, concatenated together (this is what makes the algorithm vulnerable) then SHA1 hashed.

So when you move your hands down the first column, it combines 1 -> 4 -> 7 and hashes \x01\x04\x07.

It is extremely insecure because short and medium patterns can be brute-forced instantly, and long ones without too much of a hassle.

A 7 line pattern (say the greek letter Sigma, from 3 -> 2 -> 1 -> 5 -> 7 -> 8 -> 9 ->) has theoretically 9^7 combinations, but the actual number of combinations is much less because numbers can only connected to adjacent ones.

This means you'd get at best 9*5*3*5*3*5*3 combos (replace any of the 5's or 3's with 7 if use the center dot, the 5 and 3s can also be reversed, and if you only swipe diagonally along the edges you can replace the 3's with 5's) which amounts to no more than 9^2*5^2*3 (243*25, I'll let you do the math yourself but it is much less than 9^7. It means you can even brute force gestures on a CPU.

It is worth noting that 7-line gestures are less secure than 5-digit PINs, and even less secure than 6-digit PINs.

Do yourselves a favour and use passwords or if you must, PINs instead of gestures.

I have no idea really. But Joe likes to say that everything can be hacked if you give it enough time and resources. The data must be stored somewhere on the chip and is encoded in one way or the other. Either way it can be found.

A friend of a friend is an IT specialist and works for a governmental protection agency. I am not going to say which agency or which country. Anyways, his job is to retrieve data from phones, laptops, and computers from criminals who get their stuff confiscated from the police. One of the nifty gadgets he uses allows you to connect any modern phone and it's capable of retrieving all its data including SMS messages, apps, phone calls, deleted and non-deleted stuff, etc.. Don't ask me how or what, but the things are out there. It's just not available to regular folks or sold in stores. Professional encryption software would surely be a problem depending on what it is, but not that many people use that, especially on mobile phones.   

I assume this was only possible (the digging of the gesture keys) because of the Galaxy S3 being old and outdated security-wise, right? It's a 10 year old phone model. I assume modern smartphones are going to be a lot harder to break into.

After the Trezor One video, the hardware hacker Joe Grand posted a 2nd hacking video. This time he was working on a Samsung Galaxy S3 Android phone whose owner had forgotten the swipe pattern to unlock it. He thought he bought the coins in 2013, sent them to a wallet on his phone, and forgot about them for 7 years. The phone was configured to delete all data after 10 unsuccessful swipes. So once he finally gained access to it, the owner eventually gave up so as not to erase his data and wallet.    

Joe aimed to disassemble the phone and copy the whole personal storage from the chip to his laptop. From there, he wanted to figure out where the swipe pattern file was located. Joe plugged his cable into a connector and connected it to a debugging piece of hardware. But he couldn't establish a connection due to problems with the cable.

Since that didn’t work, Joe had to take the more difficult route, use a hardwired connection, and solder his own wires to the board. A total of 9 different connections were required. After some difficulties, it eventually worked, and Joe started copying the data from the phone.  

After the data was copied to the laptop, Joe started looking for the user partition for the personal data. He was interested in a system file called gesture.key. This file contains the cryptographic hash of the swap platform used on the phone. The hash can’t be converted back, but Joe had a list of all possible gesture combinations. He can run through these combinations to find the correct hash. He found the SHA-1 hash of the swap platform used on the phone.

Joe searched for the correct bites on his list and found only one match corresponding to the 2589 swipe pattern. So he reassembled the phone, powered it on, and the owner tried to unlock it with the 2589 swipe combination. It worked. They then opened the mycelium wallet on the phone and found only 0.003 BTC. A bit later, Joe was able to trace what happened to the owner’s coins. He purchased $400 worth of BTC in 2016, but a big part of it was sent to Bit Blender, which shut down in 2019. All in all, Joe recovered only about $2.000 worth of BTC.

• Never forget to make multiple physical backups of your recovery phrases so you can gain access to your crypto whenever you need to.
• Don’t be reckless with your coins, no matter how small the amount is. One day it can amount to something big.
• Don’t forget passwords, PINS, swipe patterns, and other important details that could cause a loss of money.

Source: https://www.youtube.com/watch?v=icBD5PiyoyI