Slashdot Mirror

← Back to Stories (view on slashdot.org)

Smartphones From 11 OEMs, Including Google, Samsung, HTC, Lenovo and Sony, Vulnerable To Attacks Via Hidden AT Commands (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: In massive and groundbreaking research, a team of eleven scientists from the University of Florida, Stony Brook University, and Samsung Research America, have looked into what types of AT commands, or the Hayes command set, are currently supported on modern Android devices.

The research team analyzed over 2,000 Android firmware images from eleven Android OEMs such as ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE. They say they discovered that these devices support over 3,500 different types of AT commands, some of which grant access to very dangerous functions. These AT commands are all exposed via the phone's USB interface, meaning an attacker would have to either gain access to a user's device, or hide a malicious component inside USB docks, chargers, or charging stations. Once an attacker is connected via the USB to a target's phone, s/he can use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.

16 of 116 comments (clear)

  1. Oyyyyyy. by b0s0z0ku · · Score: 2

    Why is a cell phone modem still emulating a dial-up modem in 2018? (!) Shouldn't it behave like an Ethernet card or something? Do they still "officially" need to dial "#777" to get a data connection?

    1. Re:Oyyyyyy. by mikael · · Score: 4, Informative

      It's not just cell phone modems. PCMCIA cards for laptops have the same set of AT commands. Same with satellite modem cards that would allow a PC to connect with the various satellite networks. This makes the development and porting of device driver software easy. You just take a basic functionality driver and add the extras you need like support for SMS, reading cell phone tower/satellite signal strengths, making and ending calls, switching to data mode.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    2. Re:Oyyyyyy. by AmiMoJo · · Score: 2

      It's a non issue though.

      To exploit this an attacker would need to unlock and get root on the device. If they can do that you are screwed anyway.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re: Oyyyyyy. by crypticedge · · Score: 2

      This is why you always use your own power block and usb cable. And don't by cheap knockoffs of the real power blocks/docks.

      Or, get a few "power only" usb cables that are designed to block data transfers entirely.

    4. Re:Oyyyyyy. by SandorZoo · · Score: 2

      Not on LG phones. On those, you can unlock the phone, send arbitrary touch events to do whatever you want, and access files in /sdcard, all with just a USB connection. Samsung are also some what vulnerable, but at least their screenlock can't be bypassed. However, the paper points out 28% of smartphone users to not have a pin, pattern, or biometric lock set. Also, Samsung allow phone calls to be made/answered using the AT commands even if locked.

  2. In semi-related news ... by fahrbot-bot · · Score: 3, Funny

    Imperial All Terrain Armored Transport vehicles (aka Walkers) vulnerable to attacks via hidden AT-AT commands.

    --
    It must have been something you assimilated. . . .
  3. Hayes AT commands? by jfdavis668 · · Score: 2

    Next thing you will tell me is that there are Pascal vulnerabilities.

  4. Re:Let Me Guess by viperidaenz · · Score: 4, Funny

    +++ATH0

  5. Cellphone-on-a-chip been around for a while. by MindPrison · · Score: 4, Interesting

    I don't know if anyone of you are into Arduino?

    But it's been common knowledge for years now that you can purchase chips complete with IMEI number, multi-band RX/TX, fully featured with data, phone, simcard reader (just solder directly to pins!) mic in/speaker out pins, and the commands you send to it is via normal serial connections, you can use AT commands just like on an old HAYES(tm) modem.

    The ones on ebay are often batches from really old cellphones, but very simple to code as you basically can do this just by interfacing them with an USB to SERIAL adapter, and then you can in fact use them just as a regular cellphone. I have a bunch of such chips in my drawer, let me give you some numbers for fun so you can find out for yourself, it's really an open door, surprising that so few know this, here's some numbers: NEOWAY M590E and another: SIM800L, if you google the first - you'll find tons of coding examples (which is so easy a 12 year old can figure it out), and instructional videos. The chips are often found complete with DIY PCB's someone put together as a kit out there, or presoldered, usually around 2-3 dollars, what a world we live in.

    And yes, these can be wired up to become your own cellphone, simple, or smart (use an raspberry pi with a touch screen, load it up with an OS, your choice). And a little software magic aka amateur hour - and you're done.

    A lot of devs, have done the same thing, it's a lot easier and a LOT more accessible to construct your own phone, than most people even dare to dream of.

    --
    What this world is coming to - is for you and me to decide.
    1. Re:Cellphone-on-a-chip been around for a while. by squiggleslash · · Score: 2

      T-Mobile still has a functional 2G GSM/EDGE network in the US which it runs in parallel with 3G GSM (UMTS) and 4G GSM (LTE). I believe most of Europe still supports GSM.

      2G GSM is probably the most solid, reliable, mobile phone technology in existence, it'll be a sad day when it goes completely. If they're short on spectrum, dumping UMTS would make more sense.

      --
      You are not alone. This is not normal. None of this is normal.
  6. Secret really? by skullandbones99 · · Score: 4, Informative

    The cellular AT commands are specified by the 3GPP Open Standard document 27.007.

    Anyone can download the latest doc from http://www.3gpp.org/ftp/Specs/...

    There was no need to reinvent the wheel because the old Hayes inspired AT command technology could easily be applied to modern cellular devices.

    Bluetooth can use AT commands for transferring contact information between devices and therefore AT commands are not restricted to the USB to serial interface. In other words, Bluetooth can provide virtual serial links over the Bluetooth radio link which I suspect an attacker would like to exploit remotely.

    When implementing an AT command interpreter, care is needed to not allow unauthorised entities from executing actions that are deemed to be dangerous to the integrity of the system.

    However, vendors can create their own vendor specific commands. That can be a weakness because they won't be tested in conformity testing for 27.007 and other AT command specifications.

  7. Re:Nonsensical by mikael · · Score: 4, Informative

    The AT+CPIN and AT+CPIN2 commands is used to enter the PIN codes used to unlock the SIM card and modem equipment. Once you have access to the SIM Card, you get caller lists. Proactive SIM cards now have their own menu systems and UI built in. AT+CKPD emulates the keypad. AT+CPBS and AT+CPBR allow access to the phonebook lists of callers and called numbers.

    https://www.arcelect.com/GSM%2...

    --
    Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  8. Re:Let Me Guess by mykie242 · · Score: 3, Funny

    NO CARRIER

  9. Wow! AT&F&C1&D2 by p51d007 · · Score: 3, Interesting

    Holy crap! I haven't used AT commands since I got rid of my external modem in the dial up internet days. Started with a 2400bps, then 9600, 33k, and 56k. When I went to 1.5meg DSL then to a whopping 3-6 meg, thought it couldn't get any better LOL. AT commands...there's a walk down memory lane!

  10. Re: NSS by Tomahawk · · Score: 2

    Or hand it over to a TSA agent...

  11. total bullshit scare mongering by pablo_max · · Score: 2

    Seriously, this article is fucking ridiculous scare mongering, pure and simple.
    Let's see.
    They need physical access to your phone.
    They need to have your password because the phone must be able to install as a modem, but Android does not do without enabling it EACH time you plug it in.
    They need the modem drivers.
    Then, they need to send AT commands after all that. After they were already holding your unlocked phone.

    Likely most people have no idea about AT commands. Yes, they are still used. They are also mandatory to support, should you wish to certify your phone according to PTCRB, which, unless you are selling only to VzW or Sprint, you MUST do to be allowed on the network.
    AT commands are normally not used by people. They are used by machines.
    They are used by SIM application tool kit for example. Your SIM card has applications on it that handles things like steering of roaming. This is done via at commands to the modem.
    Or changing the PLMN as another example.

    If you really want to fuck with your phone, then DL a copy of QXDM and start tweaking NV items. NV items are used by qualcomm to control everything about the radio. Change the bands? Sure, no problem. Change power class? Yup.
    Of course, the physical HW would not support it and likely you would damage the PA, but you can still set it. There likely wont be any matching circuit in the antenna path either. So if the PA can transmit in that band, you will get some pretty wicked spurious emissions.
    There are tons of settings you can make to brink your phone straight away.
    This takes the same level of access then sending stupid AT commands.