AT Command Hitch Leaves Android Phones Open to Attack

Attackers can use AT commands to launch several malicious functions on an array of Android devices, including extracting data, rewriting the smartphone firmware and bypassing Android security measures. All they need, according to researchers who developed a proof-of-concept (PoC) attack, is the device and a USB connection.

The PoC targets AT (ATtention) commands, which are traditionally used to control wired dial-up modems; these consist of a series of short text lines that can be strung together for commands like dialing or hanging up.

AT commands are in widespread use among smartphones, and while some commands have been standardized, many smartphone manufacturers have designed their own customized commands. For instance, AT commands on Sony Ericsson smartphone can access GPS accessories, researchers said.

A team of researchers from the University of Florida and Samsung Research America recently found that these vendor-specific AT command interfaces have an “alarming” amount of unconstrained functionality – marking a broad attack surface for Android devices.

“AT commands act as a universal interface between the Android OS and lower-level components, such as the baseband modem, and we found that some vendors extend the AT command set in specific, undocumented ways to add a considerable amount of additional functionality (e.g., take a picture, inject touch events, replace firmware),” Grant Hernandez, Dave Tian and Kevin Butler (all of the University of Florida and who contributed to the findings), told Threatpost. “They appear to serve a role, likely for testing and debugging, but ensuring that access to them is controlled against untrusted and malicious adversaries is vitally important.”

Researchers first retrieved and extracted 3,500 AT commands from over 2,000 Android smartphone firmware images across 11 vendors. In order to find AT commands present in firmware images, researchers combed through files searching for any string containing the regular expression AT[+*!@#$%^&] – which are extended AT commands.

They then tested these against eight Android devices from four different vendors through their USB interface. Those devices are: the Note2, S7 Edge, S8+,  G3, G4, ZenPhone 2, ZenPad and Nexus 5.

They were then able to launch an array of alarming functions, including rewriting device firmware, bypassing Android security mechanisms, performing screen unlocks and injecting touch events (meaning they injected a key press even when someone wasn’t touching the screen), solely through the use of AT commands.

Researchers also figured out how to exfiltrate sensitive device information, including IMEI, battery level, phone model, serial number, manufacturer, software version and SIM card details.

The research team told Threatpost that in some cases they found that specific AT commands known to be able to cause vulnerabilities in a vendor’s device were patched, only for the command to become accessible again in more current models.

“We find AT commands enabling firmware flashing in Android phones, which were reported before … Once the phone is put into download mode using the AT commands …attackers can attempt to flash rooted or malware pre-installed images into the phone,” researchers said.

Real-World Scenario

Importantly, an attacker would need access to the impacted phones as well as a malicious USB host, such as a PC or a USB charging station.

The attacker must be able to access the possibly inactive AT interface, researchers said.With access to this interface, the attacker will be able to send arbitrary AT commands supported by the target device to launch attacks.

One likely attack scenario is if someone left their phone at a charging outlet in an airport through a USB interface. An attacker can send commands through the USB cable to the phone.

“The attacker doesn’t need to physically be able to access the device in any way other than through the USB connection – think of a charging station at the airport, for example,” researchers told us. “The malicious charging station could run a small amount of code that puts the device into a mode where it can accept AT commands, and then they can be arbitrarily sent – in some cases, even when the device is locked.”

For instance, during their tests of the LG G4, researchers developed a PoC attack that enabled USB debugging without any user interaction. They were able to combine AT commands to install new unsigned applications (with high permissions) to achieve persistence on a victim’s phone.

Researchers said they have notified each vendor of any relevant findings and have worked with their security team to address the issues.

“We disclosed vulnerabilities to the affected vendors in February,” they told Threatpost. “LG and Samsung released patches in July to devices that are currently receiving security updates. LG additionally issued us a vulnerability ID (LVE-SMP-180001).”

However, Hernandez, Tian and Butler think they are just “skimming the surface” when it comes to seeing what kinds of commands, and further potential vulnerabilities, might exist – particularly on devices beyond Android.

“Regarding Apple, we know that iPhones use AT commands, but whether they represent a security issue is currently an open research question we plan to investigate,” they said. “There are other types of devices out there, such as IoT devices, that are known to respond to AT commands – these represent another set of devices that haven’t been systematically examined.”