Android Phones From 11 Vendors Vulnerable To AT Commands Attacks

This month, we have come across several instances regarding Android vulnerabilities. Not much time has passed since we heard about Android’s susceptibility to MITM attacks and the plethora of vulnerabilities in the preinstalled apps. Once again we are talking about Android vulnerability after researchers found that Android phones from 11 vendors are vulnerable to hacking attacks exploiting AT commands.

AT Command Attacks Threat Android Phones From 11 Vendors

A group of security researchers have discovered how AT command exploit attacks threaten most Android smartphones today. Reportedly, they tested Android phones from 11 vendors, all of which were found vulnerable to AT command attacks. They have presented the details of their findings in a paper included in the Proceedings of the 27th USENIX Security Symposium.

Reportedly, the team of 11 researchers from different institutes analyzed a range of smartphones from different vendors to observe the impact of AT command exploits. As stated in their paper,

“We systematically retrieve and extract AT commands from over 2,000 Android smartphone firmware images across 11 vendors to build a database of 3,500 commands. We test this AT command corpus against 8 Android devices from 4 vendors via USB connections.”

AT commands ‘support telephony functions’ in the smartphones. All the commands, according to the researchers, could allow an attacker to gain access to the device via the USB interface. To exploit this vulnerability, an attacker simply needs to hide malicious content in any charging station or USB docks. After the target phones connect with the USB, the attacker can intrude the device and can exploit the device AT commands for malicious activities. As explained by the researchers,

“We find that AT commands accessed through the USB interface allow almost arbitrarily powerful functionality without any authentication required. As such they present a large attack surface for modern smartphones. … We find different attacks using AT commands,  including firmware flashing,  Android security mechanism bypassing by making calls via USB, unlocking screens, injecting touch events, exfiltrating sensitive data, etc.”

Researchers Informed The Vendors About The Vulnerability

In their study, the researchers took the Android phones from 11 vendors listed here: ASUS, HTC, Google, Huawei, LG, Samsung, Motorola, LineageOS, Lenovo, Sony, and ZTE. Taking different models from these vendors, the researchers proceeded with their study in the way stated as below in their paper.

“We begin by identifying and retrieving 2,018 Android binary smartphone firmware images, covering 11 major Android cellphone vendors. Next, for each firmware, we unpack the image using a variety of tools and extract AT command strings using a regular expression.  After additional filtering, we recover 3,500 unique AT commands, many of which have differing parameter strings. Finally, using this database, we evaluate the security impact of these commands on real Android devices by setting up an automated testing framework to send the commands to physical Android devices and monitor any side-effects.”

After completing the study, the team has adequately informed the vendors about the security flaw. They have clearly disclosed it in their paper as well.

“We have notified each vendor of any relevant findings and have worked with their security team to address the issues.”

In this study, the researchers have taken into account the AT command attacks via USB interface on Android smartphones. Looking to the future, they are reportedly planning to perform studies on Apple devices, as well as look into the possibilities of AT command attacks via other modes of connection such as Bluetooth and WiFi.

Let us know your thoughts in the comments section.

Related posts

Sweet Security Introduces Evolutionary Leap in Cloud Detection and Response, Releasing First Unified Detection & Response Platform

Anti-Spam WordPress Plugin Vulnerabilities Risked 200K+ Websites

RomCom Exploits Zero Days In Recent Backdoor Campaigns