THREAD: If you have a phones, whatever your phone model, an attacker with a physical access to your phone can capture your network traffic without your consent. Let me show you
![Image](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="675" height="1200"><rect fill-opacity="0"/></svg>)
8:07 AM 路 Apr 10, 2019Twitter Web Client
Conversation
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="73" height="73"><rect fill-opacity="0"/></svg>)
The Service Mode app is launched. You have already a lot of cool options:
- run dumpstate/logcat/modem log
- enable silent logging from boot
- media db dump
- enable seclog
- ...
1
36
95
Wait why these 3 buttons are in black?
Low battery dump, tcp dump start, IMS logger, it looks like cool things 
2
26
79
tcpdump is a command-line packet analyzer, it is use a lot to capture network traffic tcpdump.org
When I click on the "tcp dump start" button, a pop up appears. They implemented an OTP mechanism
3
23
88
Wait a second, my phone is not connected to Internet, so this OTP mechanism is a local mechanism. Time for some magic
GIF
2
20
94
I reversed the ServiceMode app and created a small proof of concept with the CheckOTP method.
![Image](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="680" height="586"><rect fill-opacity="0"/></svg>)
5
21
119
Now, I can run my POC, enter the key given in the pop up and hop tcpdump is running on the phone aka all the network traffic is captured
3
13
86
To retrieve the capture:
1. Click on "TCP DUMP STOP"
2. Click on "COPY TO SDCARD"
The capture is available in /sdcard/log/tcpdump/tcpdump_[interface]_[timestamp].pcap
3
10
72
New to Twitter?
Sign up now to get your own personalized timeline!
Sign up