Slashdot Mirror
Smartphones From 11 OEMs, Including Google, Samsung, HTC, Lenovo and Sony, Vulnerable To Attacks Via Hidden AT Commands (bleepingcomputer.com)
An anonymous reader writes: In massive and groundbreaking research, a team of eleven scientists from the University of Florida, Stony Brook University, and Samsung Research America, have looked into what types of AT commands, or the Hayes command set, are currently supported on modern Android devices.
The research team analyzed over 2,000 Android firmware images from eleven Android OEMs such as ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE. They say they discovered that these devices support over 3,500 different types of AT commands, some of which grant access to very dangerous functions. These AT commands are all exposed via the phone's USB interface, meaning an attacker would have to either gain access to a user's device, or hide a malicious component inside USB docks, chargers, or charging stations. Once an attacker is connected via the USB to a target's phone, s/he can use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.
The research team analyzed over 2,000 Android firmware images from eleven Android OEMs such as ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE. They say they discovered that these devices support over 3,500 different types of AT commands, some of which grant access to very dangerous functions. These AT commands are all exposed via the phone's USB interface, meaning an attacker would have to either gain access to a user's device, or hide a malicious component inside USB docks, chargers, or charging stations. Once an attacker is connected via the USB to a target's phone, s/he can use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.
It's not just cell phone modems. PCMCIA cards for laptops have the same set of AT commands. Same with satellite modem cards that would allow a PC to connect with the various satellite networks. This makes the development and porting of device driver software easy. You just take a basic functionality driver and add the extras you need like support for SMS, reading cell phone tower/satellite signal strengths, making and ending calls, switching to data mode.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
+++ATH0
I don't know if anyone of you are into Arduino?
But it's been common knowledge for years now that you can purchase chips complete with IMEI number, multi-band RX/TX, fully featured with data, phone, simcard reader (just solder directly to pins!) mic in/speaker out pins, and the commands you send to it is via normal serial connections, you can use AT commands just like on an old HAYES(tm) modem.
The ones on ebay are often batches from really old cellphones, but very simple to code as you basically can do this just by interfacing them with an USB to SERIAL adapter, and then you can in fact use them just as a regular cellphone. I have a bunch of such chips in my drawer, let me give you some numbers for fun so you can find out for yourself, it's really an open door, surprising that so few know this, here's some numbers: NEOWAY M590E and another: SIM800L, if you google the first - you'll find tons of coding examples (which is so easy a 12 year old can figure it out), and instructional videos. The chips are often found complete with DIY PCB's someone put together as a kit out there, or presoldered, usually around 2-3 dollars, what a world we live in.
And yes, these can be wired up to become your own cellphone, simple, or smart (use an raspberry pi with a touch screen, load it up with an OS, your choice). And a little software magic aka amateur hour - and you're done.
A lot of devs, have done the same thing, it's a lot easier and a LOT more accessible to construct your own phone, than most people even dare to dream of.
What this world is coming to - is for you and me to decide.
The cellular AT commands are specified by the 3GPP Open Standard document 27.007.
Anyone can download the latest doc from http://www.3gpp.org/ftp/Specs/...
There was no need to reinvent the wheel because the old Hayes inspired AT command technology could easily be applied to modern cellular devices.
Bluetooth can use AT commands for transferring contact information between devices and therefore AT commands are not restricted to the USB to serial interface. In other words, Bluetooth can provide virtual serial links over the Bluetooth radio link which I suspect an attacker would like to exploit remotely.
When implementing an AT command interpreter, care is needed to not allow unauthorised entities from executing actions that are deemed to be dangerous to the integrity of the system.
However, vendors can create their own vendor specific commands. That can be a weakness because they won't be tested in conformity testing for 27.007 and other AT command specifications.
The AT+CPIN and AT+CPIN2 commands is used to enter the PIN codes used to unlock the SIM card and modem equipment. Once you have access to the SIM Card, you get caller lists. Proactive SIM cards now have their own menu systems and UI built in. AT+CKPD emulates the keypad. AT+CPBS and AT+CPBR allow access to the phonebook lists of callers and called numbers.
https://www.arcelect.com/GSM%2...
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads