Android mobile devices from 11 vendors are exposed to AT Commands attacks
27.8.18 securityaffairs Android
A group of researchers has conducted an interesting study on AT commands attacks on modern Android devices discovering that models of 11 vendors are at risk
A group of researchers from the University of Florida, Stony Brook University, and Samsung Research America, has conducted an interesting research on the set of AT commands that are currently supported on modern Android devices.
The experts published a research paper titled “ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem,” the findings of their study has been presented at the Usenix Security Symposium a few days ago.
The research revealed that millions of mobile devices from eleven smartphone vendors are vulnerable to attacks carried out using AT commands.
AT (ATtention) commands is a set of short text strings that can be combined to perform a series for operations on mobile devices, including dialing, hanging up, and changing the parameters of the connection.
The AT commands can be transmitted via phone lines and control modems
Even if international telecommunications regulators have defined the list of AT commands that all smartphones must implement, many vendors have also added custom AT command sets that could be used to manage some specific features of the devices (i.e. camera control).
The experts analyzed over 2,000 Android firmware images from eleven Android OEMs (ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE) and discovered that the devices support over 3,500 different types of AT commands.
The researchers shared their findings with all affected vendors. The team published a website containing the list of phone models and firmware versions that expose the AT interface.
In some cases, using the custom AT commands it was possible to access very dangerous features implemented by the vendors. In many cases, the commands are not documented by vendors.
The experts discovered that almost any devices accept AT commands via the phone’s USB interface. To abuse the AT commands, the attacker needs to have physical access to the device or use an evil component in a USB dock or a charger.
“we systematically retrieve and extract 3,500 AT commands from over 2,000 Android smartphone firmware images across 11 vendors. We methodically test our corpus of AT commands against eight Android devices from four different vendors through their USB interface and characterize the powerful functionality exposed, including the ability to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, and inject touch events solely through the use of AT commands.” reads the research paper.
“We demonstrate that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices.”
Experts explained that AT commands could be abused by attackers to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, and perform other malicious activities.
Another disconcerting discovery made by the experts is that it is possible to submit AT commands even if the phone had entered a locked state.
“In many cases, these commands are completely undocumented,” said Kevin Butler, an associate professor in the University of Florida Herbert Wertheim College of Engineering and a member of the research team, revealing that an OEM’s documentation doesn’t even mention their presence.
In the following videos, it is possible to see how it is possible to use AT commands to carry out an attack against mobile devices.
Experts demonstrated that arbitrary touchscreen events can be injected over USB mimicking touchscreen taps, a trick that could give an attacker the take full control over a mobile device.
“Commands for sending touchscreen events and keystrokes are also discovered for LG phones and the S8+; we can see the indications on the screen. We suspect these AT commands were mainly designed for UI automation testing, since they mimic human interactions. Unfortunately, they also enable more complicated attacks which only requires a USB connection” continues the paper.
The researchers published a Shell script that they used during for their tests, it allowed them to find strings containing ATcommands in the examined images.
“AT commands have become an integral part of the Android ecosystem, yet the extent of their functionality is unclear and poorly documented.” concludes the experts.
“We demonstrate that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices.”