ADB over internet should be desabled

[paolo-caroni]

On the third line of the script is writed:

Requires ADB Connection (ie: adb connect 10.13.12.11:5555)

This should be NOT a good idea, none of us know what they did to this android ROM.
The root switcher is functional only for apps, not for adb (at least for my 10.1.X19 firmware), adb is always rooted.
So honestly i use adb over USB only and have modified /system/build.prop values:

service.adb.tcp.port =-1

since port -1 can't exist adb cannot be contacted (I have tested it).

@DesktopECHO What do you think about it?
Since a good firewall would prevent that however I'm too paranoid?

[GinAndBacon]

Just to be clear the T95 (or whatever model) is sending ADB commands to that address (10.13.x.x) on port 5555, correct? Additionally you can't connect because it's set to the ADB port to 1 on the T95. Just wanting to verify because if not and it's the other way around check your router ASAP and check port forwarding, If you see port 5555 forwarded to an internal IP or vice versa, most likely the T95 IP, then your router has been compromised, Unplug your router so you can take a deeper look before doing so unless you have one of the combo modems/routers. In that case disconnect whatever cable is running to it for internet, coaxial or Ethernet usually unless you got fiber straight to you residence. Not trying to make you more paranoid, I just don't understand the full scope of the situation and who is trying to connect to what via ADB.

In order to connect to a computer on my LAN from the internet outside my LAN, there would have to be a rule on the router or firewall saying forward port 5555 to 192.168.0.66 if that was the IP of the Android device I wanted to connect to. Port 5555 should not be open on your firewall either because you would have to manually open it on the router. The only ports by default allowed on the router are SOME well known ports, like 443 for https, 80 for http, 21 for ftp. Just some examples and honestly port 21 may not even be open anymore, I don't know the port for ftps off the top of my head but 25 is SMTP. Port 22 is for SSH so no reputable router manufacturer is going to ship it with that port open. There are really only a few ports that should be open unless you have made some rules but if anyone can connect to your internal network over the internet using ADB, there is something at the router/firewall level allowing them to do so. That or they have somehow managed to setup a proxy server on your LAN, I find it unlikely but it's not out of the realm of possibility. I am also not a network engineer so take that with a grain of salt.

By default, there is no way to connect via ADB from the internet to a android device on an internal IP on a certified Google device, especially a media streamer, a phone would have cell data which would complicate things. Not without setting up port forwarding and opening the port and that doesn't just magically happen. Now, with pre-loaded sophisticated malware that scenario changes fast. Hopefully I am not reading that right and the T995 is trying to connect to some IP from your LAN to somewhere on the internet. Still not good, but better than the scenario described above about someone tying to connect to your internal LAN from the internet. Especially if they can connect which this malware does from my understanding..

I use ADB with Home Assistant to send commands like play or launch an app so allowing ADB connections over the network is safe if done right. I can't access it externally, at least not without setting some stuff up on m y router. You need an external url (or external IP) but even then you need the Home Assistant Android app to connect to your HA server on your internal LAN. You can't open a any Android ADB utility and connect directly though because everything is going through port 443 with the HA app and then the internal HA server connects to my Android device. I apologize if you already know all of this, just trying to answer the best I can. I can say for certainty that you can NOT connect via ADB over the internet without port forwarding and opening up a port, in this case 5555, the default port for ADB (which you can change as you already did).

Also, I own one Android device that doesn't have a setting for "allow network debugging" like the nvidia shield does. Enabling USB debugging still allows me to connect over LAN, you get a prompt on the Android device but it could be hidden by the malware easily. Android should really have 2 settings, one for network debugging and one for usb debugging and some Android devices have both, but not all do and from my experience allowing USB debugging on an Android device that doesn't have a network ADB debugging setting in developer options allows you to connect over LAN (not WAN though). It should be a requirement IMO. One is way more of a security risk and it's obviously the one that involves a USB cable.

If you disable USB debugging and delete all the sessions or whatever the setting is underneath it, that would take care of the issue on a non malware infected box but they have root control and this seems pretty difficult to completely remove it. It's also hard to determine what, if anything else, the malware did which is beyond my knowledge. but we shouldn't block port 22 for SSH because with the proper keys and everything in place it would be "somewhat" secure to connect via ssh over the internet because some Android box somehow opened up that port or did something malicious like this does. It's certainly not good practice bu people do it. It does seem like the malware was more for clicking ads in the background and ppossibly just waiting to do a DDOS attack at some point although it varied.

The thing that sucks is I read a Wired article today about this and it mentioned this and 7 known infected android devices and I went to Amazon and 6 of the 7 were still up for sale under a different brand name but zero changes to the hardware. A lot claiming to do 6K................... I'm wondering if parts of AOSP shouldn't be open and I am all for open source software but AOSP reskinned to look like a streaming box can have anything added or removed from the source code. Google has no say in that so they can't stop it either. It also looks like Android Auto is started to be targeted..... The Wired article is below and when I read this (which is totally different) I thought to myself some people deserve malware...

https://www.wired.com/story/android-tv-streaming-boxes-china-backdoor/

Then there’s what Human Security calls Peachpit. This is an app-based fraud element, which has been present on both the TV boxes as well as Android phones and iPhones, Reid says. The company identified 39 Android, iOS, and TV box apps that were involved. “These are template-based applications—not very high quality,” says Joao Santos, a security researcher at the company. Apps about developing six-pack abs and logging the amount of water a person drinks were included.