Slashdot Mirror

← Back to Stories (view on slashdot.org)

Smartphones From 11 OEMs, Including Google, Samsung, HTC, Lenovo and Sony, Vulnerable To Attacks Via Hidden AT Commands (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: In massive and groundbreaking research, a team of eleven scientists from the University of Florida, Stony Brook University, and Samsung Research America, have looked into what types of AT commands, or the Hayes command set, are currently supported on modern Android devices.

The research team analyzed over 2,000 Android firmware images from eleven Android OEMs such as ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE. They say they discovered that these devices support over 3,500 different types of AT commands, some of which grant access to very dangerous functions. These AT commands are all exposed via the phone's USB interface, meaning an attacker would have to either gain access to a user's device, or hide a malicious component inside USB docks, chargers, or charging stations. Once an attacker is connected via the USB to a target's phone, s/he can use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.

52 of 116 comments (clear)

  1. Oyyyyyy. by b0s0z0ku · · Score: 2

    Why is a cell phone modem still emulating a dial-up modem in 2018? (!) Shouldn't it behave like an Ethernet card or something? Do they still "officially" need to dial "#777" to get a data connection?

    1. Re:Oyyyyyy. by mikael · · Score: 4, Informative

      It's not just cell phone modems. PCMCIA cards for laptops have the same set of AT commands. Same with satellite modem cards that would allow a PC to connect with the various satellite networks. This makes the development and porting of device driver software easy. You just take a basic functionality driver and add the extras you need like support for SMS, reading cell phone tower/satellite signal strengths, making and ending calls, switching to data mode.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    2. Re: Oyyyyyy. by b0s0z0ku · · Score: 1

      iPhones/iPads likely use a baseband "modem" with the same set of commands. This is not a platform thing, this is a hardware thing.

    3. Re:Oyyyyyy. by Anonymous Coward · · Score: 1

      Why is a cell phone modem still emulating a dial-up modem in 2018? (!) Shouldn't it behave like an Ethernet card or something? Do they still "officially" need to dial "#777" to get a data connection?

      Because when connected to a computer with a serial cable, you can only speak to the chip over serial.
      Ethernet doesn't support dialing into another modem or faxing, and most all devices that use a modem to connect to the phone network don't have an IP or any address suitable for Ethernet framing to be sent to them.

      You would only dial #777 if you wanted to dial into Sprint by PPP
      You'd dial something different if you wanted to connect to a device with its own phone number.

      The AT command set is very expandable, so lets the same interface to a PC have the cell modem to more modern functions than just dialup and fax.

      For instance your computer can send a SMS with just
      AT+CMGW="+11235551234"
      followed by a space and up to 160 characters before the CR.

      You should also probably be made aware of the fact you CAN buy cellular wireless bridge devices.
      They act as a wifi access point and bridge your default gateway traffic over the cell data network and out to the Internet. It's wifi not Ethernet, but close enough.

      Basically put if you didn't want a cellular dialup modem for your PC, you shouldn't have bought and plugged in a cellular dialup modem and instead purchased the proper device :P

    4. Re:Oyyyyyy. by AmiMoJo · · Score: 2

      It's a non issue though.

      To exploit this an attacker would need to unlock and get root on the device. If they can do that you are screwed anyway.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Oyyyyyy. by bferrell · · Score: 1

      I can show you "serial" ports that run at Gig+ speeds on routers. Serial ports aren't the bottleneck.

      The "network" interface those connections use is related to PPPoE. Nothing new got invented for data connections on the cellular network. You don't even want to know how data was handled on the AMPS network ( '86 and after ).

    6. Re:Oyyyyyy. by mikael · · Score: 1

      Maybe they have been replaced by USB dongles. But the command set is the same:

      https://www.developershome.com...
      https://www.sierrawireless.com...
      https://www.sparkfun.com/datas...

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    7. Re:Oyyyyyy. by Anonymous Coward · · Score: 1

      It's not a limit of the serial port as such but of the way data is shuffled to and from the serial port. It takes too much CPU time to do high speed serial communication with the abstractions designed for much slower connections.

    8. Re:Oyyyyyy. by AC-x · · Score: 1

      Because when connected to a computer with a serial cable, you can only speak to the chip over serial

      Serial? You mean RS-232? Who connects to their phone over RS-232 any more? How do you even connect to a modern smartphone with an RS-232 cable??

      When I plug my phone into my computer over USB the phone gives me the option to tether via USB, which then presents the phone as a USB ethernet device and routes the traffic over that...

    9. Re: Oyyyyyy. by crypticedge · · Score: 2

      This is why you always use your own power block and usb cable. And don't by cheap knockoffs of the real power blocks/docks.

      Or, get a few "power only" usb cables that are designed to block data transfers entirely.

    10. Re:Oyyyyyy. by SandorZoo · · Score: 2

      Not on LG phones. On those, you can unlock the phone, send arbitrary touch events to do whatever you want, and access files in /sdcard, all with just a USB connection. Samsung are also some what vulnerable, but at least their screenlock can't be bypassed. However, the paper points out 28% of smartphone users to not have a pin, pattern, or biometric lock set. Also, Samsung allow phone calls to be made/answered using the AT commands even if locked.

    11. Re:Oyyyyyy. by squiggleslash · · Score: 1

      USB uses a packet based protocol, you don't talk to it with AT commands. There's an RS-232 profile, where you can have a device that either is or pretends to be hooked up using RS-232 talked to over USB (lots of USB modems use this, and that's how you'd use data on flip phones), but that runs over the native packet based system. USB is more like Ethernet than RS232 in terms of how software treats it.

      So essentially I have the same question as the GP, what are we communicating with in "serial mode"? I honestly didn't know smartphones supported such a mode. Is this internal to the phone itself, ie how Android communicates with the GSM hardware?

      --
      You are not alone. This is not normal. None of this is normal.
    12. Re:Oyyyyyy. by tlhIngan · · Score: 1

      Why is a cell phone modem still emulating a dial-up modem in 2018? (!) Shouldn't it behave like an Ethernet card or something? Do they still "officially" need to dial "#777" to get a data connection?

      Because a data connection is still attached like a dialup connection.

      Though to be completely correct, only voice calls and circuit-switched data connections traditionally use the "ATD" command. To establish a proper 3G+ connection takes another command to establish and tear down data contexts.

      The whole command set has been extended so much a dialup modem is actually a simpler use case to handle. But it's a very handy set of commands and generally standardized, which is why it keeps getting used.

      Once a data context is established, generally a PPP style connection appears on another virtual serial port and you send data through this virtual serial port.

      The actual data link can be a real serial port, to USB (usually CDC-ACM, or a custom bulk endpoint style link), or more modern PCIe allowing DMA of data to buffers, or if they're onchip units like a Qualcomm chipset, mailbox passing. Of course, this lowlevel mechanism in the end is used to provide a high level serial port view.

  2. In semi-related news ... by fahrbot-bot · · Score: 3, Funny

    Imperial All Terrain Armored Transport vehicles (aka Walkers) vulnerable to attacks via hidden AT-AT commands.

    --
    It must have been something you assimilated. . . .
    1. Re:In semi-related news ... by vtcodger · · Score: 1

      Well ... OK ... But who's going to shinny up and plug our remote control iinterface into the Walker USB port?

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    2. Re:In semi-related news ... by JabrTheHut · · Score: 1

      Why oh why did they add the +++ATB00M command into the spec?

      --
      Work like no one is watching. Dance like you've never been hurt. Make love like you don't need the money.
  3. What this means for law enfocement by Anonymous Coward · · Score: 1

    One of the easiest backdoors into phones just got noticed. I'm not shocked, and wonder if the RF side of the baseband is just as bad.

    Upshot is that your devices will be a lot more secure after this gets patched. The downside is that all those companies providing 'unlocks' for law enforcement just had a major hole closed up and their lives just got more difficult

  4. so what? by miekal · · Score: 1

    PC's BIOS contains code that allow security mechanisms to be bypassed, code injected, formatted, and even become hijacked with alternative OS'es. I'm glad they are discovering this for us but it's not that scary - to me the news is that this is undocumented.. assuming they googled the results.

  5. NSS by WaffleMonster · · Score: 1

    What's new? Do people actually expect their phones or PCs to survive encounters with offensive USB hardware? Nevermind RIL access I can plug a keyboard or mouse into a phone USB port and hack away without authorization as well. It only takes a couple of seconds to drop a payload with malicious HID USB via preprogrammed keystrokes. Attack surface of USB is as massive as it is indefensible.

    From TFA 5 of the 13 devices they tested give access to serial interface over USB by default. The others require explicit configuration to expose interface.

    1. Re:NSS by viperidaenz · · Score: 1

      The news is you can unlock a phone via the usb port, and presumably gain access to an encrypted phone without the passcode.
      You can't do that by sending keystrokes via a usb hid.

    2. Re:NSS by kenh · · Score: 1

      The news is you can unlock a phone via the usb port, and presumably gain access to an encrypted phone without the passcode.

      So the user has to dock their device into an insecure device and the phone is unlocked by injecting some AT commands? What smartmodem AT command unlocks a cellphone? And once it is supposedly unlocked though this magical AT command, there are other magical AT commands to emulate touch events?

      Why was the AT smartmodem expanded to include "smartphone unlock" and "touch event" commands?

      --
      Ken
    3. Re:NSS by WaffleMonster · · Score: 1

      The news is you can unlock a phone via the usb port

      This is not news. Attack surface of USB is gargantuan. Completely indefensible.

      https://nakedsecurity.sophos.c...

    4. Re: NSS by Tomahawk · · Score: 2

      Or hand it over to a TSA agent...

    5. Re:NSS by SandorZoo · · Score: 1

      What smartmodem AT command unlocks a cellphone? And once it is supposedly unlocked though this magical AT command, there are other magical AT commands to emulate touch events?

      LG smartphones. From the paper:

      To demonstrate this attack, we combine AT commands to bypass the lock screen (AT%KEYLOCK=0), navigate to the settings menu using touchscreen automation, and allow USB debugging from our attacking machine (AT%USB=adb). The KEYLOCK AT command bypasses the lock screen even if a pattern or passcode is set. From there, arbitrary touch events can be sent to control the phone(*). Given that nearly 28% of users do not have a pin, pattern, or biometric lock, this attack would still be feasible even without the LG-specific KEYLOCK command

      * Once these commands are patched, visit https://github.com/FICS/atcmd for an automated script and the required utilities

      Samsung phones have AT commands for touch events, but no magic unlock command.

  6. Hayes AT commands? by jfdavis668 · · Score: 2

    Next thing you will tell me is that there are Pascal vulnerabilities.

  7. Re:Let Me Guess by viperidaenz · · Score: 4, Funny

    +++ATH0

  8. Cellphone-on-a-chip been around for a while. by MindPrison · · Score: 4, Interesting

    I don't know if anyone of you are into Arduino?

    But it's been common knowledge for years now that you can purchase chips complete with IMEI number, multi-band RX/TX, fully featured with data, phone, simcard reader (just solder directly to pins!) mic in/speaker out pins, and the commands you send to it is via normal serial connections, you can use AT commands just like on an old HAYES(tm) modem.

    The ones on ebay are often batches from really old cellphones, but very simple to code as you basically can do this just by interfacing them with an USB to SERIAL adapter, and then you can in fact use them just as a regular cellphone. I have a bunch of such chips in my drawer, let me give you some numbers for fun so you can find out for yourself, it's really an open door, surprising that so few know this, here's some numbers: NEOWAY M590E and another: SIM800L, if you google the first - you'll find tons of coding examples (which is so easy a 12 year old can figure it out), and instructional videos. The chips are often found complete with DIY PCB's someone put together as a kit out there, or presoldered, usually around 2-3 dollars, what a world we live in.

    And yes, these can be wired up to become your own cellphone, simple, or smart (use an raspberry pi with a touch screen, load it up with an OS, your choice). And a little software magic aka amateur hour - and you're done.

    A lot of devs, have done the same thing, it's a lot easier and a LOT more accessible to construct your own phone, than most people even dare to dream of.

    --
    What this world is coming to - is for you and me to decide.
    1. Re:Cellphone-on-a-chip been around for a while. by quenda · · Score: 1

      here's some numbers: NEOWAY M590E and another: SIM800L,

      Good luck finding an operational 2G network in 2018! :-)
        Are there any cheap 3g/lte equivalents?

      You could buy an old phone or USB 3G modem from ebay for a few dollars. Can an Arduino use the USB serial port on that?

    2. Re:Cellphone-on-a-chip been around for a while. by infolation · · Score: 1

      The UK still has a fully operational 2G network.

      The only way to achieve a steady stable NTRIP connection here is with 2G.

    3. Re:Cellphone-on-a-chip been around for a while. by squiggleslash · · Score: 2

      T-Mobile still has a functional 2G GSM/EDGE network in the US which it runs in parallel with 3G GSM (UMTS) and 4G GSM (LTE). I believe most of Europe still supports GSM.

      2G GSM is probably the most solid, reliable, mobile phone technology in existence, it'll be a sad day when it goes completely. If they're short on spectrum, dumping UMTS would make more sense.

      --
      You are not alone. This is not normal. None of this is normal.
  9. ATTENTION by buravirgil · · Score: 1

    Colossus and Guardian are one.

    --
    Would were! Should is! Could be! And live a hundred times three.
  10. Nonsensical by kenh · · Score: 1

    I understand that through careful use of AT commands through a device a user would have to physically dock into you can trigger the device to perform certain actions (like dial a call), but the claims in the summary are nothing short of fantastical:

    These AT commands are all exposed via the phone's USB interface, meaning an attacker would have to either gain access to a user's device, or hide a malicious component inside USB docks, chargers, or charging stations. Once an attacker is connected via the USB to a target's phone, s/he can use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.

    Exactly what AT command from the 1980s Hayes smartmodems does one use to "perform screen unlocks" or "inject touch events" into a device, let alone "exfiltrate sensitive device information"?

    --
    Ken
    1. Re:Nonsensical by Anonymous Coward · · Score: 1

      the command set was significantly extended to support connectivity of modern devices. this is how host devices/software communicate with the connected device for everything like software maintenance, data dumps, connectivity, firmware updates, settings and configuration, etc. cheap to implement but oh, so shitty by design.

    2. Re:Nonsensical by mikael · · Score: 4, Informative

      The AT+CPIN and AT+CPIN2 commands is used to enter the PIN codes used to unlock the SIM card and modem equipment. Once you have access to the SIM Card, you get caller lists. Proactive SIM cards now have their own menu systems and UI built in. AT+CKPD emulates the keypad. AT+CPBS and AT+CPBR allow access to the phonebook lists of callers and called numbers.

      https://www.arcelect.com/GSM%2...

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    3. Re:Nonsensical by grep+-v+'.*'+* · · Score: 1

      Exactly what AT command from the 1980s Hayes smartmodems does one use to "perform screen unlocks" or "inject touch events" into a device, let alone "exfiltrate sensitive device information"?

      Where have YOU been? You've seen the movies: "AT Do-What-I-Want" by banging away on the keyboard like a Shakespeare monkey. Every good hacker knows that.

      Really though, I'm surprised to see they've enhanced the command set this much.

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    4. Re:Nonsensical by WaffleMonster · · Score: 1

      The AT+CPIN and AT+CPIN2 commands is used to enter the PIN codes used to unlock the SIM card and modem equipment. Once you have access to the SIM Card, you get caller lists. Proactive SIM cards now have their own menu systems and UI built in. AT+CKPD emulates the keypad. AT+CPBS and AT+CPBR allow access to the phonebook lists of callers and called numbers.

      If you were to use these commands on most smart phones they would come up blank. While there are provisions for SIM storage of messages, phone book, history it's seldom used.

    5. Re: Nonsensical by Tomahawk · · Score: 1

      Read the article linked and watch the 2nd video...!
      (It's quite obvious from your comment that you didn't already)

  11. Uh... Secret?! by bferrell · · Score: 1

    Those command are how USB tethering works

    Yes, it pretends to be a modem/serial port. Oh well.

    The USB gadget interface is odd at best.

    1. Re:Uh... Secret?! by squiggleslash · · Score: 1

      For old feature phones, you'd be correct. However, I've never seen an Android phone that's used RS232 emulation mode for tethering, generally they implement a virtual Ethernet device instead.

      --
      You are not alone. This is not normal. None of this is normal.
  12. Secret really? by skullandbones99 · · Score: 4, Informative

    The cellular AT commands are specified by the 3GPP Open Standard document 27.007.

    Anyone can download the latest doc from http://www.3gpp.org/ftp/Specs/...

    There was no need to reinvent the wheel because the old Hayes inspired AT command technology could easily be applied to modern cellular devices.

    Bluetooth can use AT commands for transferring contact information between devices and therefore AT commands are not restricted to the USB to serial interface. In other words, Bluetooth can provide virtual serial links over the Bluetooth radio link which I suspect an attacker would like to exploit remotely.

    When implementing an AT command interpreter, care is needed to not allow unauthorised entities from executing actions that are deemed to be dangerous to the integrity of the system.

    However, vendors can create their own vendor specific commands. That can be a weakness because they won't be tested in conformity testing for 27.007 and other AT command specifications.

    1. Re:Secret really? by SpzToid · · Score: 1

      300baud FTW! with screeches and bleeps to alert anyone around, possibly in the early am hours because of pure bandwidth lust and greed.

      --
      You can't be ahead of the curve, if you're stuck in a loop.
  13. Re:Let Me Guess by mykie242 · · Score: 3, Funny

    NO CARRIER

  14. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  15. Wow! AT&F&C1&D2 by p51d007 · · Score: 3, Interesting

    Holy crap! I haven't used AT commands since I got rid of my external modem in the dial up internet days. Started with a 2400bps, then 9600, 33k, and 56k. When I went to 1.5meg DSL then to a whopping 3-6 meg, thought it couldn't get any better LOL. AT commands...there's a walk down memory lane!

  16. +++ath by Tomahawk · · Score: 1

    +++ath

    Just testing...

  17. total bullshit scare mongering by pablo_max · · Score: 2

    Seriously, this article is fucking ridiculous scare mongering, pure and simple.
    Let's see.
    They need physical access to your phone.
    They need to have your password because the phone must be able to install as a modem, but Android does not do without enabling it EACH time you plug it in.
    They need the modem drivers.
    Then, they need to send AT commands after all that. After they were already holding your unlocked phone.

    Likely most people have no idea about AT commands. Yes, they are still used. They are also mandatory to support, should you wish to certify your phone according to PTCRB, which, unless you are selling only to VzW or Sprint, you MUST do to be allowed on the network.
    AT commands are normally not used by people. They are used by machines.
    They are used by SIM application tool kit for example. Your SIM card has applications on it that handles things like steering of roaming. This is done via at commands to the modem.
    Or changing the PLMN as another example.

    If you really want to fuck with your phone, then DL a copy of QXDM and start tweaking NV items. NV items are used by qualcomm to control everything about the radio. Change the bands? Sure, no problem. Change power class? Yup.
    Of course, the physical HW would not support it and likely you would damage the PA, but you can still set it. There likely wont be any matching circuit in the antenna path either. So if the PA can transmit in that band, you will get some pretty wicked spurious emissions.
    There are tons of settings you can make to brink your phone straight away.
    This takes the same level of access then sending stupid AT commands.

  18. Fake News by johnsie · · Score: 1

    This isn't even an issue.

  19. North bridge by DrYak · · Score: 1

    The fact that the modem itself speaks AT commands isn't anything new (the smartphone OSes still needs to send command to it to ask to get a 3G/4G connection, or to dial a voice number. The ethernet-card-like interface is only exposed by the modem when the connection is set up.)

    The problem lies at two different levels :

    - Why is the smartphone exposing the modem over its USB connection ? It might by a bug in the OS (it should either expose some android-y interface like ADB, expose whatever shitty thing is popular currently on Windows to exchange file (MTP ?), and/or expose a USB-Network). It might be a firmware error (like the USB connection being handled by the cell modem and accidentally exposing internals).

    - Nowadays, nearly all smartphone have the cell modem directly built in the SoC and functioning as the north bridge of the chipset (in charge of bringing up and controling tons of sensitive parts, including RAM, boot firmware, etc.) This give a couple of tiny advantages (powersavings : e.g. the modem could handle a call, including routing to bluetooth, while the main OS sleeps). Bur opens tons of security issue, specially once you factor in that this critical part, due to how frequency licensing works, CANNOT run an opensource firmware, but is instead controlled by the chipset manufacturer and the service provider.

    (The only notable exception are a few geek project like the Purism Librem 5, and Dragon Pyra, where the modem is still a separate chip that only speaks over serial+ethernet to the main chipset, has no other access to anything sensitive and can be killed with a simple switch).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  20. Re:Wow! AT&F&C1&D2 by Anonymous Coward · · Score: 1

    Pretty much all 2G, 3G, 4G, NB-IoT, Cat-M1, etc. cellular modules use AT commands. Anyone building things like GNSS trackers or M2M devices is familiar with them. It's something that worked and could easily be adapted for new uses without reinventing the wheel.

  21. Re:Let Me Guess by MachineShedFred · · Score: 1

    Nice. Back in the 28.8 and 33.6 days, that actually worked on most modems using Rockwell chipsets as they didn't have "guard time" between the +++ interrupt and taking a command. People could mass-dump people from IRC channels and such with that command (or worse - chain on a dial command for some long distance number / 911) until firmware updates came out to insert guard time.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  22. Re:Let Me Guess by viperidaenz · · Score: 1

    That's why you used the IRC PING command, as their client you sent the request to would response with PONG and the argument you sent them.
    Sending PING +++ATH0 caused their client to respond with PONG +++ATH0

  23. Re:Are there really over 3,500 different AT comman by Orrin+Bloquy · · Score: 1

    Those are vendor-specific extensions that have nothing to do with Hayes Smartmodem actions but do things like simulate touch events, read and send back phone data, and other actions normally shielded by security measures. Read the article next time.

    --
    "Made up/misattributed quote that makes me look smart. I am on /. and I must look smart."