Slashdot Mirror

← Back to Stories (view on slashdot.org)

Smartphones From 11 OEMs, Including Google, Samsung, HTC, Lenovo and Sony, Vulnerable To Attacks Via Hidden AT Commands (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: In massive and groundbreaking research, a team of eleven scientists from the University of Florida, Stony Brook University, and Samsung Research America, have looked into what types of AT commands, or the Hayes command set, are currently supported on modern Android devices.

The research team analyzed over 2,000 Android firmware images from eleven Android OEMs such as ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE. They say they discovered that these devices support over 3,500 different types of AT commands, some of which grant access to very dangerous functions. These AT commands are all exposed via the phone's USB interface, meaning an attacker would have to either gain access to a user's device, or hide a malicious component inside USB docks, chargers, or charging stations. Once an attacker is connected via the USB to a target's phone, s/he can use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.

116 comments

  1. Oyyyyyy. by b0s0z0ku · · Score: 2

    Why is a cell phone modem still emulating a dial-up modem in 2018? (!) Shouldn't it behave like an Ethernet card or something? Do they still "officially" need to dial "#777" to get a data connection?

    1. Re:Oyyyyyy. by mikael · · Score: 4, Informative

      It's not just cell phone modems. PCMCIA cards for laptops have the same set of AT commands. Same with satellite modem cards that would allow a PC to connect with the various satellite networks. This makes the development and porting of device driver software easy. You just take a basic functionality driver and add the extras you need like support for SMS, reading cell phone tower/satellite signal strengths, making and ending calls, switching to data mode.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    2. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      "cheap phones for poors" makes you sound pretty poor yourself. Given that you can't even conjugate a proper English language sentence.

    3. Re: Oyyyyyy. by b0s0z0ku · · Score: 1

      iPhones/iPads likely use a baseband "modem" with the same set of commands. This is not a platform thing, this is a hardware thing.

    4. Re:Oyyyyyy. by Anonymous Coward · · Score: 1

      Why is a cell phone modem still emulating a dial-up modem in 2018? (!) Shouldn't it behave like an Ethernet card or something? Do they still "officially" need to dial "#777" to get a data connection?

      Because when connected to a computer with a serial cable, you can only speak to the chip over serial.
      Ethernet doesn't support dialing into another modem or faxing, and most all devices that use a modem to connect to the phone network don't have an IP or any address suitable for Ethernet framing to be sent to them.

      You would only dial #777 if you wanted to dial into Sprint by PPP
      You'd dial something different if you wanted to connect to a device with its own phone number.

      The AT command set is very expandable, so lets the same interface to a PC have the cell modem to more modern functions than just dialup and fax.

      For instance your computer can send a SMS with just
      AT+CMGW="+11235551234"
      followed by a space and up to 160 characters before the CR.

      You should also probably be made aware of the fact you CAN buy cellular wireless bridge devices.
      They act as a wifi access point and bridge your default gateway traffic over the cell data network and out to the Internet. It's wifi not Ethernet, but close enough.

      Basically put if you didn't want a cellular dialup modem for your PC, you shouldn't have bought and plugged in a cellular dialup modem and instead purchased the proper device :P

    5. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      Oh, I triggered a poor lol

      You sound like one of those morons that comments on wccftech.

      In fact, I'm pretty sure you are one of those morons.

      In any case, none of us on here are poor. Poor people live in places like India and various African countries.

      Here, we have so much free time we're commenting on articles about shit that doesn't even matter in the real world, using equipment that cost hundreds of dollars and makes use of our monthly network plan (whatever that may be).

      We're not poor, but some of us are fucking retarded, as you have proven.

    6. Re:Oyyyyyy. by Anonymous Coward · · Score: 0

      PCWHAT* cards? Those don't exist anymore. USB wireless modems are still controlled by AT commands sent through virtual serial ports. But modems are increasingly using (virtual) network interfaces at least for the data connection to the host, as the older virtual serial port interface became a bottleneck with fast 3G/4G mobile connections.

      *) People Can't Memorize Computer Industry Acronyms

    7. Re:Oyyyyyy. by Anonymous Coward · · Score: 0

      Meh, you need physical access, so honestly I'd file this under "potentially handy feature" eg for jailbreaking a phone.

    8. Re:Oyyyyyy. by Anonymous Coward · · Score: 0

      Because it is one?

      The AT commands need to exist to simulate modem and fax connections which is something you've always been able to do with USB and Serial-connected cell phones since the 90's.

      The issue is really that the AT commands are the actual interface into the modem radio. So it's entirely possible (if you've ever fucked around with actual dial up modems) to fuckup the modem's NVram so that it's never able to connect again. The cell phones talk to the serial-end of the connection, while the actual radios do everything in the background. The AT command set is like a second VT100 terminal into the radio, rather than the only interface.

    9. Re:Oyyyyyy. by AmiMoJo · · Score: 2

      It's a non issue though.

      To exploit this an attacker would need to unlock and get root on the device. If they can do that you are screwed anyway.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re:Oyyyyyy. by bferrell · · Score: 1

      I can show you "serial" ports that run at Gig+ speeds on routers. Serial ports aren't the bottleneck.

      The "network" interface those connections use is related to PPPoE. Nothing new got invented for data connections on the cellular network. You don't even want to know how data was handled on the AMPS network ( '86 and after ).

    11. Re:Oyyyyyy. by mikael · · Score: 1

      Maybe they have been replaced by USB dongles. But the command set is the same:

      https://www.developershome.com...
      https://www.sierrawireless.com...
      https://www.sparkfun.com/datas...

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    12. Re:Oyyyyyy. by Anonymous Coward · · Score: 1

      It's not a limit of the serial port as such but of the way data is shuffled to and from the serial port. It takes too much CPU time to do high speed serial communication with the abstractions designed for much slower connections.

    13. Re:Oyyyyyy. by Anonymous Coward · · Score: 0

      Sorry, I should have made this clearer: They use virtual network interfaces for the data connection, but not the control connection. In USB modems those are typically separate virtual endpoints, not multiplexed into one like on modems with actual serial ports. Anyway, this is all entirely moot, because it's not a protocol vulnerability: The AT command interface isn't the problem, just what the developers put into the command set. They could add the same outlandishly dangerous commands to any other interface.

    14. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      AT commands are mainly used to make the GSM module to the phone providencia, mobile networks are still basically phone networks and the module is basically a modem.

    15. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      Thank you.

    16. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      For the GSM module, this is basically a modem.

    17. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      I am not sure what type of serial port, running at Gigabit speeds you have in mind ? Could you clarify?

      Most modern routers use Ethernet connections, I havenâ(TM)t seen a serial port on s router in the last decade. High speed serial ports could manage T3 speeds, but those where synchronous serial ports, not a sync ports as you have on your PC.

    18. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      Many non /. readers plug their phone into any USB port they can find. On planes, at airports and festivals, in shops.

    19. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      Serial ATA. Sata.

    20. Re:Oyyyyyy. by AC-x · · Score: 1

      Because when connected to a computer with a serial cable, you can only speak to the chip over serial

      Serial? You mean RS-232? Who connects to their phone over RS-232 any more? How do you even connect to a modern smartphone with an RS-232 cable??

      When I plug my phone into my computer over USB the phone gives me the option to tether via USB, which then presents the phone as a USB ethernet device and routes the traffic over that...

    21. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      Because androids are cheap phones for poors, much like all Linux things.

      Hm.. why have I just spend 1000 dollars on a mid range android phone then, that offers functionality you would never find in an iphone?

    22. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      Because youâ(TM)re a chump?

    23. Re: Oyyyyyy. by crypticedge · · Score: 2

      This is why you always use your own power block and usb cable. And don't by cheap knockoffs of the real power blocks/docks.

      Or, get a few "power only" usb cables that are designed to block data transfers entirely.

    24. Re:Oyyyyyy. by Anonymous Coward · · Score: 0

      Because when connected to a computer with a serial cable, you can only speak to the chip over serial

      Serial? You mean RS-232? Who connects to their phone over RS-232 any more? How do you even connect to a modern smartphone with an RS-232 cable??

      When I plug my phone into my computer over USB the phone gives me the option to tether via USB, which then presents the phone as a USB ethernet device and routes the traffic over that...

      They may have meant Universal Serial Bus (USB), which is a serial port on a newer physical interface than RS-232, and can support speeds theoretically up to 10G

    25. Re:Oyyyyyy. by SandorZoo · · Score: 2

      Not on LG phones. On those, you can unlock the phone, send arbitrary touch events to do whatever you want, and access files in /sdcard, all with just a USB connection. Samsung are also some what vulnerable, but at least their screenlock can't be bypassed. However, the paper points out 28% of smartphone users to not have a pin, pattern, or biometric lock set. Also, Samsung allow phone calls to be made/answered using the AT commands even if locked.

    26. Re:Oyyyyyy. by squiggleslash · · Score: 1

      USB uses a packet based protocol, you don't talk to it with AT commands. There's an RS-232 profile, where you can have a device that either is or pretends to be hooked up using RS-232 talked to over USB (lots of USB modems use this, and that's how you'd use data on flip phones), but that runs over the native packet based system. USB is more like Ethernet than RS232 in terms of how software treats it.

      So essentially I have the same question as the GP, what are we communicating with in "serial mode"? I honestly didn't know smartphones supported such a mode. Is this internal to the phone itself, ie how Android communicates with the GSM hardware?

      --
      You are not alone. This is not normal. None of this is normal.
    27. Re:Oyyyyyy. by Anonymous Coward · · Score: 0

      Don't even need to go to a router, any pc and probably that phone has a SATA port which is serial and runs at Gig+ speeds

    28. Re:Oyyyyyy. by Anonymous Coward · · Score: 0

      It doesn't take any cpu time (unless the software is poorly written), every modern serial port has DMA options for dumping to and from the serial port without intervention from the cpu, it's been that way for 20+ years.

    29. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      Yes, they do exist and are being used un modern products, the thing is that users do not need to see those.
      Most hardware still communicates using a serial bus... using a serial-like communication, software usually do not need to use that but those old things are still the bricks and cement of all hardware.

    30. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      PCI-Express slots are all serial ports. Most chipset connections are serial. Parallel died off when it became too difficult to keep all of the signals in sync. It's quite standard to use bonded serial lanes.

    31. Re:Oyyyyyy. by Anonymous Coward · · Score: 0

      Because when connected to a computer with a serial cable, you can only speak to the chip over serial.

      That's not quite true. You could emulate a USB Ethernet device and use that to talk to your phone.
      USB s not the same as serial. It's a serial *bus* not serial *cable*. The serial only refers to bits all going over the same cable. Limits the concurrent throughput but the logic is somewhat simpler as you don't need to keep multiple parallel cables in sync so that usually lets you run faster.

    32. Re:Oyyyyyy. by tlhIngan · · Score: 1

      Why is a cell phone modem still emulating a dial-up modem in 2018? (!) Shouldn't it behave like an Ethernet card or something? Do they still "officially" need to dial "#777" to get a data connection?

      Because a data connection is still attached like a dialup connection.

      Though to be completely correct, only voice calls and circuit-switched data connections traditionally use the "ATD" command. To establish a proper 3G+ connection takes another command to establish and tear down data contexts.

      The whole command set has been extended so much a dialup modem is actually a simpler use case to handle. But it's a very handy set of commands and generally standardized, which is why it keeps getting used.

      Once a data context is established, generally a PPP style connection appears on another virtual serial port and you send data through this virtual serial port.

      The actual data link can be a real serial port, to USB (usually CDC-ACM, or a custom bulk endpoint style link), or more modern PCIe allowing DMA of data to buffers, or if they're onchip units like a Qualcomm chipset, mailbox passing. Of course, this lowlevel mechanism in the end is used to provide a high level serial port view.

    33. Re: Oyyyyyy. by Anonymous Coward · · Score: 0

      Who is now poor.

  2. Let Me Guess by Anonymous Coward · · Score: 0

    ATDT 911

    ATX1D 911

    In the heady days of V92/Flex56 and even V.FC I trashed a few modems accidentally entering the "erase flash" command, maybe that is also a vulnerability, err "feature".

    1. Re:Let Me Guess by viperidaenz · · Score: 4, Funny

      +++ATH0

    2. Re:Let Me Guess by mykie242 · · Score: 3, Funny

      NO CARRIER

    3. Re:Let Me Guess by MachineShedFred · · Score: 1

      Nice. Back in the 28.8 and 33.6 days, that actually worked on most modems using Rockwell chipsets as they didn't have "guard time" between the +++ interrupt and taking a command. People could mass-dump people from IRC channels and such with that command (or worse - chain on a dial command for some long distance number / 911) until firmware updates came out to insert guard time.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    4. Re:Let Me Guess by Anonymous Coward · · Score: 0

      The command has to come from your own terminal to be recognized. And the guard time was introduced in the 80's, shortly after someone figured out you could post "+++ATH0" to a BBS message board to make the BBS hang up on everyone. But the time was configurable so I can image that some hardware went out with zero as the default.

      (Pedantic old guy.)

    5. Re:Let Me Guess by viperidaenz · · Score: 1

      That's why you used the IRC PING command, as their client you sent the request to would response with PONG and the argument you sent them.
      Sending PING +++ATH0 caused their client to respond with PONG +++ATH0

  3. What about phones verified NOT affected by Anonymous Coward · · Score: 0

    that is a list I would be more interested in seeing. For now, it seems Nokia Android phones are the most secure, as far as Android goes.

    1. Re:What about phones verified NOT affected by Anonymous Coward · · Score: 0

      That would be a list of phones not tested.

      Even LineageOS makes the list.

    2. Re:What about phones verified NOT affected by Anonymous Coward · · Score: 0

      Wrong part of the firmware. The "modem" partition isn't modified when you install LineageOS. This part of the firmware is highly hardware dependent, closed source and runs separate from the "OS". There are several processors in a phone and only the OS that runs on the main CPU is what you perceive as "Android". A notion of security doesn't apply to phones. Phones are also highly vulnerable on the "air interface" via the mobile network.

    3. Re:What about phones verified NOT affected by Anonymous Coward · · Score: 0

      Thanks a lot. I'm glad to have been wrong, that's a nice comment there.

      If the modem is connected via an on-die bus or PCIe and has DMA access, sure.
      Do you think there's merit in what the Librem 5 phone does? They use a separate modem connected through internal USB, and claim that this protects from harm. And wifi+bluetooth is another separate USB chip.

      The phone will probably have many holes anyway but I'm still waiting for it (I bet the battery life won't be stellar)

  4. Re:Iâ(TM)m not surprised. by Anonymous Coward · · Score: 0

    Stop posting like youa hillbillie.

  5. Re: Iâ(TM)m not surprised. by Anonymous Coward · · Score: 0

    u wot m8

  6. In semi-related news ... by fahrbot-bot · · Score: 3, Funny

    Imperial All Terrain Armored Transport vehicles (aka Walkers) vulnerable to attacks via hidden AT-AT commands.

    --
    It must have been something you assimilated. . . .
    1. Re:In semi-related news ... by vtcodger · · Score: 1

      Well ... OK ... But who's going to shinny up and plug our remote control iinterface into the Walker USB port?

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    2. Re:In semi-related news ... by Anonymous Coward · · Score: 0

      uh ... it's in the heel

    3. Re:In semi-related news ... by JabrTheHut · · Score: 1

      Why oh why did they add the +++ATB00M command into the spec?

      --
      Work like no one is watching. Dance like you've never been hurt. Make love like you don't need the money.
  7. What this means for law enfocement by Anonymous Coward · · Score: 1

    One of the easiest backdoors into phones just got noticed. I'm not shocked, and wonder if the RF side of the baseband is just as bad.

    Upshot is that your devices will be a lot more secure after this gets patched. The downside is that all those companies providing 'unlocks' for law enforcement just had a major hole closed up and their lives just got more difficult

  8. so what? by miekal · · Score: 1

    PC's BIOS contains code that allow security mechanisms to be bypassed, code injected, formatted, and even become hijacked with alternative OS'es. I'm glad they are discovering this for us but it's not that scary - to me the news is that this is undocumented.. assuming they googled the results.

  9. Oh noes, AT commands! by Anonymous Coward · · Score: 0

    Trust bleepingcomputer to panic a lot but to "forget" sharing the meat of the matter.

    I still remember spending lots of time with terminal software, dialing BBSes, and oftentimes entering AT commands by hand.

    Yes, there's lots of them. Every fucking command given to a modem (or an android phone pretending to be a modem) starts that way.

    But what exactly is the problem here? Trust bleepingcomputer to NOT tell you. Which is why msmash gives us bleepingcomputer. Thanks, msmash.

    1. Re: Oh noes, AT commands! by Anonymous Coward · · Score: 0

      I know this is /., But if you're going to write a long gripe, at least RTFS first, it completely explains the point you missed:

      use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.

    2. Re: Oh noes, AT commands! by Anonymous Coward · · Score: 0

      Faildot

    3. Re: Oh noes, AT commands! by Anonymous Coward · · Score: 0

      No, it only goes "seekrit AT commands!", failing to mention that there are lots of non-seekrit AT commands that are perfectly legit, safe, and normal. Since this is bleepingcomputer such fearmongering-by-omission is only to be expected, but still legitimately gripe-worthy.

  10. Re:Iâ(TM)m not surprised. by sheramil · · Score: 0

    If you have an android phone, youâ(TM)re best off throwing it directly in the garbage and buying a real phone.

    Oh, "youâ(TM)re" are, are you? Good to know.

  11. NSS by WaffleMonster · · Score: 1

    What's new? Do people actually expect their phones or PCs to survive encounters with offensive USB hardware? Nevermind RIL access I can plug a keyboard or mouse into a phone USB port and hack away without authorization as well. It only takes a couple of seconds to drop a payload with malicious HID USB via preprogrammed keystrokes. Attack surface of USB is as massive as it is indefensible.

    From TFA 5 of the 13 devices they tested give access to serial interface over USB by default. The others require explicit configuration to expose interface.

    1. Re:NSS by viperidaenz · · Score: 1

      The news is you can unlock a phone via the usb port, and presumably gain access to an encrypted phone without the passcode.
      You can't do that by sending keystrokes via a usb hid.

    2. Re:NSS by kenh · · Score: 1

      The news is you can unlock a phone via the usb port, and presumably gain access to an encrypted phone without the passcode.

      So the user has to dock their device into an insecure device and the phone is unlocked by injecting some AT commands? What smartmodem AT command unlocks a cellphone? And once it is supposedly unlocked though this magical AT command, there are other magical AT commands to emulate touch events?

      Why was the AT smartmodem expanded to include "smartphone unlock" and "touch event" commands?

      --
      Ken
    3. Re:NSS by WaffleMonster · · Score: 1

      The news is you can unlock a phone via the usb port

      This is not news. Attack surface of USB is gargantuan. Completely indefensible.

      https://nakedsecurity.sophos.c...

    4. Re: NSS by Tomahawk · · Score: 2

      Or hand it over to a TSA agent...

    5. Re:NSS by Anonymous Coward · · Score: 0

      That's not USB, that's drivers. Compile your kernel without (or delete the modules) and THAT issue is completely gone.
      Also, it doesn't really exist on Android.
      A different question however is why in all the world your Android device would support AT commands via USB! That's pretty close to "utterly useless", yet someone thought it was a good idea to implement it anyway...

    6. Re:NSS by SandorZoo · · Score: 1

      What smartmodem AT command unlocks a cellphone? And once it is supposedly unlocked though this magical AT command, there are other magical AT commands to emulate touch events?

      LG smartphones. From the paper:

      To demonstrate this attack, we combine AT commands to bypass the lock screen (AT%KEYLOCK=0), navigate to the settings menu using touchscreen automation, and allow USB debugging from our attacking machine (AT%USB=adb). The KEYLOCK AT command bypasses the lock screen even if a pattern or passcode is set. From there, arbitrary touch events can be sent to control the phone(*). Given that nearly 28% of users do not have a pin, pattern, or biometric lock, this attack would still be feasible even without the LG-specific KEYLOCK command

      * Once these commands are patched, visit https://github.com/FICS/atcmd for an automated script and the required utilities

      Samsung phones have AT commands for touch events, but no magic unlock command.

  12. Hayes AT commands? by jfdavis668 · · Score: 2

    Next thing you will tell me is that there are Pascal vulnerabilities.

  13. Cellphone-on-a-chip been around for a while. by MindPrison · · Score: 4, Interesting

    I don't know if anyone of you are into Arduino?

    But it's been common knowledge for years now that you can purchase chips complete with IMEI number, multi-band RX/TX, fully featured with data, phone, simcard reader (just solder directly to pins!) mic in/speaker out pins, and the commands you send to it is via normal serial connections, you can use AT commands just like on an old HAYES(tm) modem.

    The ones on ebay are often batches from really old cellphones, but very simple to code as you basically can do this just by interfacing them with an USB to SERIAL adapter, and then you can in fact use them just as a regular cellphone. I have a bunch of such chips in my drawer, let me give you some numbers for fun so you can find out for yourself, it's really an open door, surprising that so few know this, here's some numbers: NEOWAY M590E and another: SIM800L, if you google the first - you'll find tons of coding examples (which is so easy a 12 year old can figure it out), and instructional videos. The chips are often found complete with DIY PCB's someone put together as a kit out there, or presoldered, usually around 2-3 dollars, what a world we live in.

    And yes, these can be wired up to become your own cellphone, simple, or smart (use an raspberry pi with a touch screen, load it up with an OS, your choice). And a little software magic aka amateur hour - and you're done.

    A lot of devs, have done the same thing, it's a lot easier and a LOT more accessible to construct your own phone, than most people even dare to dream of.

    --
    What this world is coming to - is for you and me to decide.
    1. Re: Cellphone-on-a-chip been around for a while. by Anonymous Coward · · Score: 0

      Amen, bro.

    2. Re:Cellphone-on-a-chip been around for a while. by quenda · · Score: 1

      here's some numbers: NEOWAY M590E and another: SIM800L,

      Good luck finding an operational 2G network in 2018! :-)
        Are there any cheap 3g/lte equivalents?

      You could buy an old phone or USB 3G modem from ebay for a few dollars. Can an Arduino use the USB serial port on that?

    3. Re:Cellphone-on-a-chip been around for a while. by Anonymous Coward · · Score: 0

      I'm in Europe (Belgium/France) and 'accidentally' find them more than a few times a day. ;)

    4. Re:Cellphone-on-a-chip been around for a while. by infolation · · Score: 1

      The UK still has a fully operational 2G network.

      The only way to achieve a steady stable NTRIP connection here is with 2G.

    5. Re:Cellphone-on-a-chip been around for a while. by Anonymous Coward · · Score: 0

      Uh, 2G networks will be around far past 2022 in many, if not most Eurpean countries.
      Germany will switch of 3G first, with not even plans of switching off 2G yet.
      2G is used in lots of industrial automation, elevators etc., sometimes with contracts, but definitely with lifetimes measured in decades.
      Plus 2G is by far not as horribly wasteful with spectrum as 3G, so there isn't really much REASON to switch it off either.

    6. Re:Cellphone-on-a-chip been around for a while. by squiggleslash · · Score: 2

      T-Mobile still has a functional 2G GSM/EDGE network in the US which it runs in parallel with 3G GSM (UMTS) and 4G GSM (LTE). I believe most of Europe still supports GSM.

      2G GSM is probably the most solid, reliable, mobile phone technology in existence, it'll be a sad day when it goes completely. If they're short on spectrum, dumping UMTS would make more sense.

      --
      You are not alone. This is not normal. None of this is normal.
  14. ATTENTION by buravirgil · · Score: 1

    Colossus and Guardian are one.

    --
    Would were! Should is! Could be! And live a hundred times three.
  15. Re:Iâ(TM)m not surprised. by Anonymous Coward · · Score: 0

    If you have an android phone, youâ(TM)re best off throwing it directly in the garbage and buying a real phone.

    Oh, "youâ(TM)re" are, are you? Good to know.

    Additionally, he's actually asking you to buy a "real" phone from a Chinese company like Foxconn.

    That's pretty damn funny if you think about it.

  16. Nonsensical by kenh · · Score: 1

    I understand that through careful use of AT commands through a device a user would have to physically dock into you can trigger the device to perform certain actions (like dial a call), but the claims in the summary are nothing short of fantastical:

    These AT commands are all exposed via the phone's USB interface, meaning an attacker would have to either gain access to a user's device, or hide a malicious component inside USB docks, chargers, or charging stations. Once an attacker is connected via the USB to a target's phone, s/he can use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.

    Exactly what AT command from the 1980s Hayes smartmodems does one use to "perform screen unlocks" or "inject touch events" into a device, let alone "exfiltrate sensitive device information"?

    --
    Ken
    1. Re:Nonsensical by Anonymous Coward · · Score: 0

      The command sets include new and undocumented commands. Even "standard" features common to most modern modems exceed the modem command set of the 80s. These commands probably exist for debugging or automating production processes. Or they're backdoors.

    2. Re:Nonsensical by Anonymous Coward · · Score: 1

      the command set was significantly extended to support connectivity of modern devices. this is how host devices/software communicate with the connected device for everything like software maintenance, data dumps, connectivity, firmware updates, settings and configuration, etc. cheap to implement but oh, so shitty by design.

    3. Re:Nonsensical by mikael · · Score: 4, Informative

      The AT+CPIN and AT+CPIN2 commands is used to enter the PIN codes used to unlock the SIM card and modem equipment. Once you have access to the SIM Card, you get caller lists. Proactive SIM cards now have their own menu systems and UI built in. AT+CKPD emulates the keypad. AT+CPBS and AT+CPBR allow access to the phonebook lists of callers and called numbers.

      https://www.arcelect.com/GSM%2...

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    4. Re:Nonsensical by grep+-v+'.*'+* · · Score: 1

      Exactly what AT command from the 1980s Hayes smartmodems does one use to "perform screen unlocks" or "inject touch events" into a device, let alone "exfiltrate sensitive device information"?

      Where have YOU been? You've seen the movies: "AT Do-What-I-Want" by banging away on the keyboard like a Shakespeare monkey. Every good hacker knows that.

      Really though, I'm surprised to see they've enhanced the command set this much.

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    5. Re:Nonsensical by WaffleMonster · · Score: 1

      The AT+CPIN and AT+CPIN2 commands is used to enter the PIN codes used to unlock the SIM card and modem equipment. Once you have access to the SIM Card, you get caller lists. Proactive SIM cards now have their own menu systems and UI built in. AT+CKPD emulates the keypad. AT+CPBS and AT+CPBR allow access to the phonebook lists of callers and called numbers.

      If you were to use these commands on most smart phones they would come up blank. While there are provisions for SIM storage of messages, phone book, history it's seldom used.

    6. Re: Nonsensical by Tomahawk · · Score: 1

      Read the article linked and watch the 2nd video...!
      (It's quite obvious from your comment that you didn't already)

    7. Re: Nonsensical by Anonymous Coward · · Score: 0

      AT%KEYLOCK=0

      Yep, itâ(TM)s that stupidly easy. Not too much hacker clackity-clack, either. Fits nicely between snarky lines of dialog and âleet-speak.

  17. You can steal all of the phoneâ(TM)s data... by Anonymous Coward · · Score: 0

    And dial up your favorite Renegade or Wildcat BBS while doing so!

    ATDT

  18. Finally a way to root and reflash the locked down by Anonymous Coward · · Score: 0

    Finally a way to root and reflash locked down phones!

  19. Uh... Secret?! by bferrell · · Score: 1

    Those command are how USB tethering works

    Yes, it pretends to be a modem/serial port. Oh well.

    The USB gadget interface is odd at best.

    1. Re:Uh... Secret?! by Anonymous Coward · · Score: 0

      That's not how USB tethering works. That uses a USB-Ethernet emulation, not a serial port emulation.

    2. Re:Uh... Secret?! by squiggleslash · · Score: 1

      For old feature phones, you'd be correct. However, I've never seen an Android phone that's used RS232 emulation mode for tethering, generally they implement a virtual Ethernet device instead.

      --
      You are not alone. This is not normal. None of this is normal.
  20. Secret really? by skullandbones99 · · Score: 4, Informative

    The cellular AT commands are specified by the 3GPP Open Standard document 27.007.

    Anyone can download the latest doc from http://www.3gpp.org/ftp/Specs/...

    There was no need to reinvent the wheel because the old Hayes inspired AT command technology could easily be applied to modern cellular devices.

    Bluetooth can use AT commands for transferring contact information between devices and therefore AT commands are not restricted to the USB to serial interface. In other words, Bluetooth can provide virtual serial links over the Bluetooth radio link which I suspect an attacker would like to exploit remotely.

    When implementing an AT command interpreter, care is needed to not allow unauthorised entities from executing actions that are deemed to be dangerous to the integrity of the system.

    However, vendors can create their own vendor specific commands. That can be a weakness because they won't be tested in conformity testing for 27.007 and other AT command specifications.

    1. Re:Secret really? by Anonymous Coward · · Score: 0

      Shhh with that logic and history. We have pitchforks out already. Someone has to be burned alive, it's tradition! We can't possibly be reminded physical security renders many things completely vulnerable.

      You would cry if you saw how hotplug is handled on phones. That is the real wtf.

    2. Re:Secret really? by SpzToid · · Score: 1

      300baud FTW! with screeches and bleeps to alert anyone around, possibly in the early am hours because of pure bandwidth lust and greed.

      --
      You can't be ahead of the curve, if you're stuck in a loop.
  21. Re:Finally a way to root and reflash the locked do by Anonymous Coward · · Score: 0

    That's what happens when you send down UNICODE text as an SMS message.

  22. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  23. Some simple rules by Anonymous Coward · · Score: 0

    Every lawyer I've ever known has advised:
    Don't put information on phones that you don't wish to make public.
    Don't send emails that contain information you do wish to make public
    Don't write anything down you don't wish to make public.
    Don't store information on PC that you do not wish to make public.

    Imagining some silver bullet to make these rules unnecessary is a fantasy.

  24. What timing. by Anonymous Coward · · Score: 0

    Just yesterday I was discussing the fact that none of the young programmers know anything about synchronous or bi-synchronous communications these days. Mention the Hayes modem commands and young people don't have a clue. I know that there isn't much use these days for dial up modems but they still are used. I keep several of them. I don't know if there is any FAX software to use with them or if Windows would bea nightmare to try and use them, but... I can imagine what people would say about BCD and computers that used 7bit characters that I use to work with. LOL. They'd show their ignorance pretty quickly.

  25. Wow! AT&F&C1&D2 by p51d007 · · Score: 3, Interesting

    Holy crap! I haven't used AT commands since I got rid of my external modem in the dial up internet days. Started with a 2400bps, then 9600, 33k, and 56k. When I went to 1.5meg DSL then to a whopping 3-6 meg, thought it couldn't get any better LOL. AT commands...there's a walk down memory lane!

  26. Are there really over 3,500 different AT commands? by Anonymous Coward · · Score: 0

    ... these devices support over 3,500 different types of AT commands ...

    I am from the old school, know pretty much how the AT command works

    However, I don't seem to be able to remember that there were over 3,500 different types of AT commands

    Perhaps I am wrong

    So, can anyone show me where I can find all those over 3,500 different types of AT commands, please?

  27. +++ath by Tomahawk · · Score: 1

    +++ath

    Just testing...

  28. total bullshit scare mongering by pablo_max · · Score: 2

    Seriously, this article is fucking ridiculous scare mongering, pure and simple.
    Let's see.
    They need physical access to your phone.
    They need to have your password because the phone must be able to install as a modem, but Android does not do without enabling it EACH time you plug it in.
    They need the modem drivers.
    Then, they need to send AT commands after all that. After they were already holding your unlocked phone.

    Likely most people have no idea about AT commands. Yes, they are still used. They are also mandatory to support, should you wish to certify your phone according to PTCRB, which, unless you are selling only to VzW or Sprint, you MUST do to be allowed on the network.
    AT commands are normally not used by people. They are used by machines.
    They are used by SIM application tool kit for example. Your SIM card has applications on it that handles things like steering of roaming. This is done via at commands to the modem.
    Or changing the PLMN as another example.

    If you really want to fuck with your phone, then DL a copy of QXDM and start tweaking NV items. NV items are used by qualcomm to control everything about the radio. Change the bands? Sure, no problem. Change power class? Yup.
    Of course, the physical HW would not support it and likely you would damage the PA, but you can still set it. There likely wont be any matching circuit in the antenna path either. So if the PA can transmit in that band, you will get some pretty wicked spurious emissions.
    There are tons of settings you can make to brink your phone straight away.
    This takes the same level of access then sending stupid AT commands.

    1. Re:total bullshit scare mongering by Anonymous Coward · · Score: 0

      Umm. No. Just watch the first 30 seconds of the video. They bypass most of those requirements. They just need to be plugged into the device and the phone unlocked. Then with a correctly written script they can gain full access and disable any prompts. A fake USB power bank could easily be used to do this.

    2. Re:total bullshit scare mongering by Anonymous Coward · · Score: 0

      Actually, as detailed, one of the commands completely bypasses the lock screen. All a user needs to do is plug their phone into a public charging space that's been modified by the attacker. Do YOU use airport charging stations?

  29. Fake News by johnsie · · Score: 1

    This isn't even an issue.

  30. North bridge by DrYak · · Score: 1

    The fact that the modem itself speaks AT commands isn't anything new (the smartphone OSes still needs to send command to it to ask to get a 3G/4G connection, or to dial a voice number. The ethernet-card-like interface is only exposed by the modem when the connection is set up.)

    The problem lies at two different levels :

    - Why is the smartphone exposing the modem over its USB connection ? It might by a bug in the OS (it should either expose some android-y interface like ADB, expose whatever shitty thing is popular currently on Windows to exchange file (MTP ?), and/or expose a USB-Network). It might be a firmware error (like the USB connection being handled by the cell modem and accidentally exposing internals).

    - Nowadays, nearly all smartphone have the cell modem directly built in the SoC and functioning as the north bridge of the chipset (in charge of bringing up and controling tons of sensitive parts, including RAM, boot firmware, etc.) This give a couple of tiny advantages (powersavings : e.g. the modem could handle a call, including routing to bluetooth, while the main OS sleeps). Bur opens tons of security issue, specially once you factor in that this critical part, due to how frequency licensing works, CANNOT run an opensource firmware, but is instead controlled by the chipset manufacturer and the service provider.

    (The only notable exception are a few geek project like the Purism Librem 5, and Dragon Pyra, where the modem is still a separate chip that only speaks over serial+ethernet to the main chipset, has no other access to anything sensitive and can be killed with a simple switch).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  31. Re:Wow! AT&F&C1&D2 by Anonymous Coward · · Score: 1

    Pretty much all 2G, 3G, 4G, NB-IoT, Cat-M1, etc. cellular modules use AT commands. Anyone building things like GNSS trackers or M2M devices is familiar with them. It's something that worked and could easily be adapted for new uses without reinventing the wheel.

  32. Good for rooting phones? by Anonymous Coward · · Score: 0

    As an attack vector, this does not seem to amount to much. But, I wonder whether it could be used for rooting phones? That would be useful, as the current approaches are clunky, error prone and, in essence, a lottery.

  33. Re:Iâ(TM)m not surprised. by Anonymous Coward · · Score: 0

    you mean like the pos iPhone?

  34. Re:Are there really over 3,500 different AT comman by Orrin+Bloquy · · Score: 1

    Those are vendor-specific extensions that have nothing to do with Hayes Smartmodem actions but do things like simulate touch events, read and send back phone data, and other actions normally shielded by security measures. Read the article next time.

    --
    "Made up/misattributed quote that makes me look smart. I am on /. and I must look smart."
  35. To me thats an upgrade by Anonymous Coward · · Score: 0

    My Nokia 7110 supposedly had AT Command capability, but I could never get it to work.