Smartphones From 11 OEMs, Including Google, Samsung, HTC, Lenovo and Sony, Vulnerable To Attacks Via Hidden AT Commands

An anonymous reader writes: In massive and groundbreaking research, a team of eleven scientists from the University of Florida, Stony Brook University, and Samsung Research America, have looked into what types of AT commands, or the Hayes command set, are currently supported on modern Android devices.

The research team analyzed over 2,000 Android firmware images from eleven Android OEMs such as ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE. They say they discovered that these devices support over 3,500 different types of AT commands, some of which grant access to very dangerous functions. These AT commands are all exposed via the phone's USB interface, meaning an attacker would have to either gain access to a user's device, or hide a malicious component inside USB docks, chargers, or charging stations. Once an attacker is connected via the USB to a target's phone, s/he can use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.

Re:Oyyyyyy.

[mikael]

It's not just cell phone modems. PCMCIA cards for laptops have the same set of AT commands. Same with satellite modem cards that would allow a PC to connect with the various satellite networks. This makes the development and porting of device driver software easy. You just take a basic functionality driver and add the extras you need like support for SMS, reading cell phone tower/satellite signal strengths, making and ending calls, switching to data mode.

Secret really?

[skullandbones99]

The cellular AT commands are specified by the 3GPP Open Standard document 27.007.

Anyone can download the latest doc from http://www.3gpp.org/ftp/Specs/...

There was no need to reinvent the wheel because the old Hayes inspired AT command technology could easily be applied to modern cellular devices.

Bluetooth can use AT commands for transferring contact information between devices and therefore AT commands are not restricted to the USB to serial interface. In other words, Bluetooth can provide virtual serial links over the Bluetooth radio link which I suspect an attacker would like to exploit remotely.

When implementing an AT command interpreter, care is needed to not allow unauthorised entities from executing actions that are deemed to be dangerous to the integrity of the system.

However, vendors can create their own vendor specific commands. That can be a weakness because they won't be tested in conformity testing for 27.007 and other AT command specifications.

Re:Nonsensical

[mikael]

The AT+CPIN and AT+CPIN2 commands is used to enter the PIN codes used to unlock the SIM card and modem equipment. Once you have access to the SIM Card, you get caller lists. Proactive SIM cards now have their own menu systems and UI built in. AT+CKPD emulates the keypad. AT+CPBS and AT+CPBR allow access to the phonebook lists of callers and called numbers.

https://www.arcelect.com/GSM%2...