Revenge of the modems

The following subscription-only content has been made available to you by an LWN subscriber. Thousands of subscribers depend on LWN for the best news from the Linux and free software communities. If you enjoy this article, please consider accepting the trial offer on the right. Thank you for visiting!

By Jake Edge
October 3, 2018

Back in the halcyon days of the previous century, those with a technical inclination often became overly acquainted with modems—not just the strange sounds they made when connecting, but the AT commands that were used to control them. While the AT command set is still in use (notably for GSM networks), it is generally hidden these days. But some security researchers have found that Android phones often make AT commands available via their USB ports, which is something that can potentially be exploited by rogue USB devices of various sorts.

A paper [PDF] that was written by a long list of researchers (Dave (Jing) Tian, Grant Hernandez, Joseph I. Choi, Vanessa Frost, Christie Ruales, Patrick Traynor, Hayawardh Vijayakumar, Lee Harrison, Amir Rahmati, Michael Grace, and Kevin R. B. Butler) and presented at the 27th USENIX Security Symposium described the findings. A rather large number of Android firmware builds were scanned for the presence of AT commands and many were found to have them. That's not entirely surprising since the baseband processors used to communicate with the mobile network often use AT commands for configuration. But it turns out that Android vendors have also added their own custom AT commands that can have a variety of potentially harmful effects—making those available over USB is even more problematic.

They started by searching through 2018 separate Android binary images (it is not clear how that number came about, perhaps it is simply coincidental) from 11 different vendors. They extracted and decompressed the various pieces inside the images and then searched those files for AT command strings. That process led to a database of 3500 AT commands, which can be seen at the web site for ATtention Spanned—the name given to the vulnerabilities.

In order to further test the reach of these commands, the researchers then ran tests sending the commands to actual devices: 13 Android phones and one Android tablet. Of those, they found that five would enable AT commands on the USB by default; three more had non-default USB configurations with AT-command support, which could be switched on for rooted phones. The others were immune to these particular AT-command-based attacks.

The results were eye-opening—at least for the affected devices. The kinds of operations that can be performed using AT commands are extensive—and worrisome. The set of operations supported varies widely, from firmware flashing to factory reset to making calls (even when the lock screen is up) to extracting information about the device and its configuration. These are, in short, a surefire way to end up with a compromised device, but only if it is plugged into the "wrong" USB device.

It turns out that some of these devices simply present a serial port when the USB cable is plugged in. The other side can just start sending AT commands via that serial port, which are handed off to a user-space daemon on the Android device. That daemon processes the AT commands and sends back any response (e.g. "OK"). Wiring up a user-space process to the external world via the connection used for charging may not have been the wisest choice these device makers could have made.

While there are rogue USB devices out there, and one can imagine ways to engineer someone into plugging one in, there is a more common case where phones are routinely plugged in, sometimes to devices that are not necessarily secure or well-policed: battery charging. There are multiple situations where one might take advantage of a charge from a potentially dodgy USB power source, including at power kiosks (e.g. at airports) or by borrowing one. Getting your device charged is not generally seen as a risky move but, for some devices, perhaps it should be. It is probably worth considering a USB Condom or similar device for charging safety.

Some of these vulnerabilities have been reported before, but those "analyses have been ad-hoc and narrowly focused on specific smartphone vendors". What the ATtention Spanned researchers have done, then, is to take a more systematic look across a wider slice of the Android marketplace to see what kinds of problems can be found—the results were not encouraging. One phone model can be temporarily bricked with a reset AT command (i.e. normal recovery modes would not bring it back but, ironically, using two AT commands would reboot the phone), for example. In addition, several of the phones would make calls using the "ATD" command, even when the screen is locked. There is a whole raft of information that can be leaked from some devices via AT commands; these include things like SIM card details, /proc and /sys data, the IMEI number, software versions, and more.

While it undoubtedly makes for an excellent way to help debug and troubleshoot phones and other devices, it is a little hard to understand why device makers would leave that path enabled on production hardware. Perhaps in the same way that users don't think of charging as a path to system compromise, device makers were also thinking past the problem. USB is a useful way to recharge these devices, but that shouldn't make folks lose track of what else it can do.

One might guess that device makers will be disabling USB access to their AT commands before long, but the researchers also note some other, potentially disturbing possibilities. In the FAQ on the web site, they note: "We did not investigate remote AT attack surface, but the first places we would look would be the BlueTooth interface and the baseband." One hopes that this might alert device makers so that they investigate and lock down these possibilities if needed. More cynical observers might be forgiven for guessing that it may take another research paper or two before they actually get around to doing so, however.

Did you like this article? Please accept our trial subscription offer to be able to see more content like it and to participate in the discussion.

(Log in to post comments)