A group of researches has found a flaw in 11 Android OEMs where they are vulnerable to attacks using AT commands.
Attention (AT) commands, or the Hays command set was introduced in the early 80's as a way for control modems to talk to each other over phone lines. The short-string commands tell a modem to dial or hang up. It was turned into a standard by the Telecommunication Industry Association and has been expanded to include SMS instant text messaging, 3G and include commands for launching the camera and controlling a touchscreen. When concerned with Android-based smartphones, it is used for field testing and debugging.
The research team of scientists at the University of Florida, Stony Brook University and Samsung Research America has analyzed over 2000 Android firmware images from eleven Android vendors and found many mainstream smartphones have the commands still accessible through a device's USB port, even when shipped to the consumer.
The fear is a malicious attacker could set up a charging station, charging dock or distribute fake cables that can run the code and take control of the phone, install spyware, steal data and bypass lock screen protections. Kevin Butler, an embedded security researcher at the University of Florida, has said: "There are certainly legitimate uses for AT commands, but they were probably not designed for public use. We found over 3,500 AT commands and the vast majority nobody’s ever documented anywhere." The researchers were able to access the underlying code from the smartphone and test the commands they found to figure out what they do, as manufacturers don't publicly document the AT commands they use.
Android's "charge-only" mode won't generally protect devices against AT command attack; the protection isn't always on by default and even if it is, the researchers found it was still possible to circumvent the security features.
The researchers warn that AT commands also support Bluetooth and other connectivity standards, opening a whole different ecosystem of AT command exploitation beyond the USB port. The investigation into AT command exploitation is relatively new and the findings they presented at the USENIX security conference in Baltimore (in August 2018) could be the tip of the iceberg.
Samsung and LG have issued patches to limit access to AT commands through USB. The research group is also working with other Android phone manufacturers to work on fixes. Whether a device will take AT commands is an issue with how Android is implemented by the different manufacturers and not a problem Google can blanket solve. With so many different companies supporting Android and the short shelf life of Android, there is massive fragmentation in the device population. It is unknown when, or even if, a device will receive a patch to mitigate the vulnerability.
The risk of a malicious attacker placing a charging station in a heavy traffic area like an airport or shopping centre won't infect everybody but can affect some. Even with patching and keeping your device updated it can still be vulnerable.
There are many risks associated with using a public phone charger. Much like an AT command infiltration, "juice-jacking" which has been seen in the wild, transfers malicious software to your device through a USB connection.
- If you are concerned about keeping your phone's battery charged, bringing your own cable and wall adapter will let you plug into any wall socket, which can be useful when travelling.
- It is suggested to use a USB battery pack (though if travelling by air, they might not let you take a USB battery pack on the plane) which enables you to charge your phone even when you are not around a wall socket.
- Other solutions are power-only USB cables, which lack the wiring needed to transfer data.
- When concerned over the security of your smartphone, it is recommended not to connect your smartphone to the entertainment system of a rental car. The dashboard software can import and store data from your phone including call logs, contact information and location data. If you do, make sure you delete your device's data from the entertainment system of the vehicle.
For more information on AT command attacks, please visit atcommands.org , the website put up by researchers which includes videos of the vulnerability in action.
For questions about protecting your businesses network, please contact Next Digital.