Smartphones From 11 OEMs, Including Google, Samsung, HTC, Lenovo and Sony, Vulnerable To Attacks Via Hidden AT Commands

An anonymous reader writes: In massive and groundbreaking research, a team of eleven scientists from the University of Florida, Stony Brook University, and Samsung Research America, have looked into what types of AT commands, or the Hayes command set, are currently supported on modern Android devices.

The research team analyzed over 2,000 Android firmware images from eleven Android OEMs such as ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE. They say they discovered that these devices support over 3,500 different types of AT commands, some of which grant access to very dangerous functions. These AT commands are all exposed via the phone's USB interface, meaning an attacker would have to either gain access to a user's device, or hide a malicious component inside USB docks, chargers, or charging stations. Once an attacker is connected via the USB to a target's phone, s/he can use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.

Oyyyyyy.

[b0s0z0ku]

Why is a cell phone modem still emulating a dial-up modem in 2018? (!) Shouldn't it behave like an Ethernet card or something? Do they still "officially" need to dial "#777" to get a data connection?

Re:Oyyyyyy.

[mikael]

It's not just cell phone modems. PCMCIA cards for laptops have the same set of AT commands. Same with satellite modem cards that would allow a PC to connect with the various satellite networks. This makes the development and porting of device driver software easy. You just take a basic functionality driver and add the extras you need like support for SMS, reading cell phone tower/satellite signal strengths, making and ending calls, switching to data mode.

Re:

[bferrell]

I can show you "serial" ports that run at Gig+ speeds on routers. Serial ports aren't the bottleneck.

The "network" interface those connections use is related to PPPoE. Nothing new got invented for data connections on the cellular network. You don't even want to know how data was handled on the AMPS network ( '86 and after ).

Re:

[Anonymous Coward]

It's not a limit of the serial port as such but of the way data is shuffled to and from the serial port. It takes too much CPU time to do high speed serial communication with the abstractions designed for much slower connections.

Re:

[mikael]

Maybe they have been replaced by USB dongles. But the command set is the same:

https://www.developershome.com... [developershome.com]
https://www.sierrawireless.com... [sierrawireless.com]
https://www.sparkfun.com/datas... [sparkfun.com]

Re:

[AmiMoJo]

It's a non issue though.

To exploit this an attacker would need to unlock and get root on the device. If they can do that you are screwed anyway.

Re:

[SandorZoo]

Not on LG phones. On those, you can unlock the phone, send arbitrary touch events to do whatever you want, and access files in /sdcard, all with just a USB connection. Samsung are also some what vulnerable, but at least their screenlock can't be bypassed. However, the paper points out 28% of smartphone users to not have a pin, pattern, or biometric lock set. Also, Samsung allow phone calls to be made/answered using the AT commands even if locked.

Re:

[Anonymous Coward]

Why is a cell phone modem still emulating a dial-up modem in 2018? (!) Shouldn't it behave like an Ethernet card or something? Do they still "officially" need to dial "#777" to get a data connection?

Because when connected to a computer with a serial cable, you can only speak to the chip over serial.
Ethernet doesn't support dialing into another modem or faxing, and most all devices that use a modem to connect to the phone network don't have an IP or any address suitable for Ethernet framing to be sent to them.

You would only dial #777 if you wanted to dial into Sprint by PPP
You'd dial something different if you wanted to connect to a device with its own phone number.

The AT command set is very expandable,

Re:

[AC-x]

Because when connected to a computer with a serial cable, you can only speak to the chip over serial

Serial? You mean RS-232? Who connects to their phone over RS-232 any more? How do you even connect to a modern smartphone with an RS-232 cable??

When I plug my phone into my computer over USB the phone gives me the option to tether via USB, which then presents the phone as a USB ethernet device and routes the traffic over that...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[crypticedge]

This is why you always use your own power block and usb cable. And don't by cheap knockoffs of the real power blocks/docks.

Or, get a few "power only" usb cables that are designed to block data transfers entirely.

North bridge

[DrYak]

The fact that the modem itself speaks AT commands isn't anything new (the smartphone OSes still needs to send command to it to ask to get a 3G/4G connection, or to dial a voice number. The ethernet-card-like interface is only exposed by the modem when the connection is set up.)

The problem lies at two different levels :

- Why is the smartphone exposing the modem over its USB connection ? It might by a bug in the OS (it should either expose some android-y interface like ADB, expose whatever shitty thing is pop

Re:

[tlhIngan]

Why is a cell phone modem still emulating a dial-up modem in 2018? (!) Shouldn't it behave like an Ethernet card or something? Do they still "officially" need to dial "#777" to get a data connection?

Because a data connection is still attached like a dialup connection.

Though to be completely correct, only voice calls and circuit-switched data connections traditionally use the "ATD" command. To establish a proper 3G+ connection takes another command to establish and tear down data contexts.

The whole command s

Re:

[b0s0z0ku]

iPhones/iPads likely use a baseband "modem" with the same set of commands. This is not a platform thing, this is a hardware thing.

Re:

[Orrin Bloquy]

Those are vendor-specific extensions that have nothing to do with Hayes Smartmodem actions but do things like simulate touch events, read and send back phone data, and other actions normally shielded by security measures. Read the article next time.

Re:Let Me Guess

[viperidaenz]

+++ATH0

Re:

[mykie242]

NO CARRIER

Re:

[MachineShedFred]

Nice. Back in the 28.8 and 33.6 days, that actually worked on most modems using Rockwell chipsets as they didn't have "guard time" between the +++ interrupt and taking a command. People could mass-dump people from IRC channels and such with that command (or worse - chain on a dial command for some long distance number / 911) until firmware updates came out to insert guard time.

Re:

[viperidaenz]

That's why you used the IRC PING command, as their client you sent the request to would response with PONG and the argument you sent them.
Sending PING +++ATH0 caused their client to respond with PONG +++ATH0

In semi-related news ...

[fahrbot-bot]

Imperial All Terrain Armored Transport vehicles (aka Walkers) vulnerable to attacks via hidden AT-AT commands.

Re:

[vtcodger]

Well ... OK ... But who's going to shinny up and plug our remote control iinterface into the Walker USB port?

Re:

[JabrTheHut]

Why oh why did they add the +++ATB00M command into the spec?

What this means for law enfocement

[Anonymous Coward]

One of the easiest backdoors into phones just got noticed. I'm not shocked, and wonder if the RF side of the baseband is just as bad.

Upshot is that your devices will be a lot more secure after this gets patched. The downside is that all those companies providing 'unlocks' for law enforcement just had a major hole closed up and their lives just got more difficult

so what?

[miekal]

PC's BIOS contains code that allow security mechanisms to be bypassed, code injected, formatted, and even become hijacked with alternative OS'es. I'm glad they are discovering this for us but it's not that scary - to me the news is that this is undocumented.. assuming they googled the results.

NSS

[WaffleMonster]

What's new? Do people actually expect their phones or PCs to survive encounters with offensive USB hardware? Nevermind RIL access I can plug a keyboard or mouse into a phone USB port and hack away without authorization as well. It only takes a couple of seconds to drop a payload with malicious HID USB via preprogrammed keystrokes. Attack surface of USB is as massive as it is indefensible.

From TFA 5 of the 13 devices they tested give access to serial interface over USB by default. The others require ex

Re:

[viperidaenz]

The news is you can unlock a phone via the usb port, and presumably gain access to an encrypted phone without the passcode.
You can't do that by sending keystrokes via a usb hid.

Re:

[kenh]

The news is you can unlock a phone via the usb port, and presumably gain access to an encrypted phone without the passcode.

So the user has to dock their device into an insecure device and the phone is unlocked by injecting some AT commands? What smartmodem AT command unlocks a cellphone? And once it is supposedly unlocked though this magical AT command, there are other magical AT commands to emulate touch events?

Why was the AT smartmodem expanded to include "smartphone unlock" and "touch event" commands?

Re:

[account_deleted]

Comment removed based on user account deletion

Re: NSS

[Tomahawk]

Or hand it over to a TSA agent...

Re:

[SandorZoo]

What smartmodem AT command unlocks a cellphone? And once it is supposedly unlocked though this magical AT command, there are other magical AT commands to emulate touch events?

LG smartphones. From the paper:

To demonstrate this attack, we combine AT commands to bypass the lock screen (AT%KEYLOCK=0), navigate to the settings menu using touchscreen automation, and allow USB debugging from our attacking machine (AT%USB=adb). The KEYLOCK AT command bypasses the lock screen even if a pattern or passcode is set. From there, arbitrary touch events can be sent to control the phone(*). Given that nearly 28% of users do not have a pin, pattern, or biometric lock, this attack would still be feasible even without the LG-specific KEYLOCK command

* Once these commands are patched, visit https://github.com/FICS/atcmd [github.com] for an automated script and the required utilities

Samsung phones have AT commands for touch events, but no magic unlock command.

Re:

[WaffleMonster]

The news is you can unlock a phone via the usb port

This is not news. Attack surface of USB is gargantuan. Completely indefensible.

https://nakedsecurity.sophos.c... [sophos.com]

Hayes AT commands?

[jfdavis668]

Next thing you will tell me is that there are Pascal vulnerabilities.

Cellphone-on-a-chip been around for a while.

[MindPrison]

I don't know if anyone of you are into Arduino?

But it's been common knowledge for years now that you can purchase chips complete with IMEI number, multi-band RX/TX, fully featured with data, phone, simcard reader (just solder directly to pins!) mic in/speaker out pins, and the commands you send to it is via normal serial connections, you can use AT commands just like on an old HAYES(tm) modem.

The ones on ebay are often batches from really old cellphones, but very simple to code as you basically can do this just by interfacing them with an USB to SERIAL adapter, and then you can in fact use them just as a regular cellphone. I have a bunch of such chips in my drawer, let me give you some numbers for fun so you can find out for yourself, it's really an open door, surprising that so few know this, here's some numbers: NEOWAY M590E and another: SIM800L, if you google the first - you'll find tons of coding examples (which is so easy a 12 year old can figure it out), and instructional videos. The chips are often found complete with DIY PCB's someone put together as a kit out there, or presoldered, usually around 2-3 dollars, what a world we live in.

And yes, these can be wired up to become your own cellphone, simple, or smart (use an raspberry pi with a touch screen, load it up with an OS, your choice). And a little software magic aka amateur hour - and you're done.

A lot of devs, have done the same thing, it's a lot easier and a LOT more accessible to construct your own phone, than most people even dare to dream of.

Re:

[quenda]

here's some numbers: NEOWAY M590E and another: SIM800L,

Good luck finding an operational 2G network in 2018! :-)
  Are there any cheap 3g/lte equivalents?

You could buy an old phone or USB 3G modem from ebay for a few dollars. Can an Arduino use the USB serial port on that?

Re:

[infolation]

The UK still has a fully operational 2G network.

The only way to achieve a steady stable NTRIP connection here is with 2G.

Re:

[account_deleted]

Comment removed based on user account deletion

ATTENTION

[buravirgil]

Colossus and Guardian are one.

Nonsensical

[kenh]

I understand that through careful use of AT commands through a device a user would have to physically dock into you can trigger the device to perform certain actions (like dial a call), but the claims in the summary are nothing short of fantastical:

These AT commands are all exposed via the phone's USB interface, meaning an attacker would have to either gain access to a user's device, or hide a malicious component inside USB docks, chargers, or charging stations. Once an attacker is connected via the USB to a target's phone, s/he can use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.

Exactly what AT command from the 1980s Hayes smartmodems does one use to "perform screen unlocks" or "inject touch events" into a device, let alone "exfiltrate sensitive device information"?

Re:

[Anonymous Coward]

the command set was significantly extended to support connectivity of modern devices. this is how host devices/software communicate with the connected device for everything like software maintenance, data dumps, connectivity, firmware updates, settings and configuration, etc. cheap to implement but oh, so shitty by design.

Re:Nonsensical

[mikael]

The AT+CPIN and AT+CPIN2 commands is used to enter the PIN codes used to unlock the SIM card and modem equipment. Once you have access to the SIM Card, you get caller lists. Proactive SIM cards now have their own menu systems and UI built in. AT+CKPD emulates the keypad. AT+CPBS and AT+CPBR allow access to the phonebook lists of callers and called numbers.

https://www.arcelect.com/GSM%2... [arcelect.com]

Re:

[WaffleMonster]

The AT+CPIN and AT+CPIN2 commands is used to enter the PIN codes used to unlock the SIM card and modem equipment. Once you have access to the SIM Card, you get caller lists. Proactive SIM cards now have their own menu systems and UI built in. AT+CKPD emulates the keypad. AT+CPBS and AT+CPBR allow access to the phonebook lists of callers and called numbers.

If you were to use these commands on most smart phones they would come up blank. While there are provisions for SIM storage of messages, phone book, history it's seldom used.

Re:

[grep -v '.*' *]

Exactly what AT command from the 1980s Hayes smartmodems does one use to "perform screen unlocks" or "inject touch events" into a device, let alone "exfiltrate sensitive device information"?

Where have YOU been? You've seen the movies: "AT Do-What-I-Want" by banging away on the keyboard like a Shakespeare monkey. Every good hacker knows that.

Really though, I'm surprised to see they've enhanced the command set this much.

Re: Nonsensical

[Tomahawk]

Read the article linked and watch the 2nd video...!
(It's quite obvious from your comment that you didn't already)

Uh... Secret?!

[bferrell]

Those command are how USB tethering works

Yes, it pretends to be a modem/serial port. Oh well.

The USB gadget interface is odd at best.

Re:

[account_deleted]

Comment removed based on user account deletion

Secret really?

[skullandbones99]

The cellular AT commands are specified by the 3GPP Open Standard document 27.007.

Anyone can download the latest doc from http://www.3gpp.org/ftp/Specs/... [3gpp.org]

There was no need to reinvent the wheel because the old Hayes inspired AT command technology could easily be applied to modern cellular devices.

Bluetooth can use AT commands for transferring contact information between devices and therefore AT commands are not restricted to the USB to serial interface. In other words, Bluetooth can provide virtual serial links over the Bluetooth radio link which I suspect an attacker would like to exploit remotely.

When implementing an AT command interpreter, care is needed to not allow unauthorised entities from executing actions that are deemed to be dangerous to the integrity of the system.

However, vendors can create their own vendor specific commands. That can be a weakness because they won't be tested in conformity testing for 27.007 and other AT command specifications.

Re:

[SpzToid]

300baud FTW! with screeches and bleeps to alert anyone around, possibly in the early am hours because of pure bandwidth lust and greed.

Wow! AT&F&C1&D2

[p51d007]

Holy crap! I haven't used AT commands since I got rid of my external modem in the dial up internet days. Started with a 2400bps, then 9600, 33k, and 56k. When I went to 1.5meg DSL then to a whopping 3-6 meg, thought it couldn't get any better LOL. AT commands...there's a walk down memory lane!

Re:

[Anonymous Coward]

Pretty much all 2G, 3G, 4G, NB-IoT, Cat-M1, etc. cellular modules use AT commands. Anyone building things like GNSS trackers or M2M devices is familiar with them. It's something that worked and could easily be adapted for new uses without reinventing the wheel.

+++ath

[Tomahawk]

+++ath

Just testing...

total bullshit scare mongering

[pablo_max]

Seriously, this article is fucking ridiculous scare mongering, pure and simple.
Let's see.
They need physical access to your phone.
They need to have your password because the phone must be able to install as a modem, but Android does not do without enabling it EACH time you plug it in.
They need the modem drivers.
Then, they need to send AT commands after all that. After they were already holding your unlocked phone.

Likely most people have no idea about AT commands. Yes, they are still used. They are also mandatory to support, should you wish to certify your phone according to PTCRB, which, unless you are selling only to VzW or Sprint, you MUST do to be allowed on the network.
AT commands are normally not used by people. They are used by machines.
They are used by SIM application tool kit for example. Your SIM card has applications on it that handles things like steering of roaming. This is done via at commands to the modem.
Or changing the PLMN as another example.

If you really want to fuck with your phone, then DL a copy of QXDM and start tweaking NV items. NV items are used by qualcomm to control everything about the radio. Change the bands? Sure, no problem. Change power class? Yup.
Of course, the physical HW would not support it and likely you would damage the PA, but you can still set it. There likely wont be any matching circuit in the antenna path either. So if the PA can transmit in that band, you will get some pretty wicked spurious emissions.
There are tons of settings you can make to brink your phone straight away.
This takes the same level of access then sending stupid AT commands.

Fake News

[johnsie]

This isn't even an issue.

Re:

[sheramil]

If you have an android phone, youâ(TM)re best off throwing it directly in the garbage and buying a real phone.

Oh, "youâ(TM)re" are, are you? Good to know.