It might feel like there’s always a new smartphone on the market with next-generation features that make yours obsolete. But no matter how many iterations mobile devices go through, they’re in many ways still based on decades-old electronics. In fact, antiquated 20th century telephone tech can be used to carry out decidedly 21st century attacks on many mainstream smartphones.
A team of researchers from University of Florida, Stony Brook University, and Samsung Research America has discovered that Attention (AT) commands, which date back to the 1980s, can be used to compromise Android devices. These modem and phone line controls originally told phones to dial, or hang up a call and so on. Over time, the use of AT commands expanded into modern protocols like SMS texting, 3G, and LTE, and even came to include custom commands for things like launching a camera or controlling a touchscreen on a smartphone.
The researchers, who presented their findings at the Usenix security conference in Baltimore this month, say that manufacturers usually set devices up to receive AT inputs for the field testing and debugging processes. The group found, though, that numerous mainstream smartphones leave the commands still accessible to anyone through a device’s USB port even after they’re in consumer hands.
As a result, an attacker could set up a malicious charging station, or distribute tainted charging cables, to initiate attacks that can take control of phones, exfiltrate data, and even bypass lock screen protections.
“You plug in a USB cable, we run a small script that enables a configuration of the USB interface that allows for the device to receive AT commands, and then we can send them and be on our way,” says Kevin Butler, an embedded security researcher at University of Florida who worked on the research. “There are certainly legitimate uses for AT commands, but they were probably not designed for public use. We found over 3,500 AT commands, and the vast majority nobody’s ever documented anywhere.”
An attacker could, for example, send commands that get around the phone’s lock screen, and then start initiating “touch events” on the screen, navigating wherever she wants on the phone to access data or change settings.
Since manufacturers don’t publicly document the commands, the researchers needed to reverse-engineer the fundamental code running on different smartphones, and then test out commands that they found to get a sense of what they could actually do. The group looked at 2,000 Android firmware images from 11 vendors for this initial survey, and then tested more tailored attack scenarios against eight Android models from four brands.
‘I am absolutely sure that in the next years more new vulnerabilities will surface using this attack vector.’
Alfonso Muñoz, BBVA Next Technologies
Not all Android phones are instantly vulnerable to attack. But an attacker with a malicious charging station set up in a busy airport would likely be able to take control of at least some phones, the researchers say. They also point out that Android’s “charge-only” mode generally doesn’t protect devices against AT command attacks. The protection isn’t always on by default, but even when it is, the group found that it was still possible to send AT commands while Android displays a security pop-up asking about access permissions for a malicious charging station.
“From what we’ve seen different AT commands will hit different layers of your smartphone,” Butler says. “Some of the classic commands will hit the radio interface layer where the actual baseband processor is and where the calling happens. But the commands that allow you to do things like take a picture are actually being interpreted by the Android layer, by the operating system itself as opposed to by the phone. So even though the interface was designed for traditional telephone-type activities it’s been built on to allow for far more powerful functionality—things like replacing the firmware on the phone, or initiating touchscreen events.”
In addition to the researchers’ sprawling findings about AT commands through USB interfaces, they also note that Bluetooth and other connectivity standards support AT commands. This means that there’s a whole potential ecosystem of exposure from the commands beyond exploiting them through USB ports.
“I am absolutely sure that in the next years more new vulnerabilities will surface using this attack vector,” says Alfonso Muñoz, a security researcher at the Spanish software development firm BBVA Next Technologies who has been studying insecurity in AT commands. “New implementations based on AT commands have not been analyzed enough yet from a security point of view.”
Samsung and LG have both issued patches to cut off access to AT commands through USB, and University of Florida’s Butler says that the group is also in touch with a number of other companies about working on fixes. Whether a device accepts AT commands, and how, is an issue in how Android is implemented by each manufacturer, and likely isn’t something Google can unilaterally resolve. But Butler warns that even if every manufacturer releases patches, there will still be issues with distributing them, because many companies only support Android devices for a few years, and fragmentation in the Android device population means that many phones receive patches on a long delay if ever. And research into AT command insecurity is just beginning.
“There are certain devices that didn’t appear to be taking those commands,” Butler says, “But it would be premature to say for sure that they’re not vulnerable. This is just the tip of the iceberg.”