Open AT Commands: a Huge Loophole Exploit in Android Revealed
Google has tried to harden Android’s security for a decade now since its initial release 10 years ago. Features as disabled Unknown Sources by default and the Google Play Protect are the two prominent tools that secure Android and its users from 3rd-party harmful apps. However, Google has forgotten a feature of Android and has not blocked it from any potential exploitation, the AT Commands. In a paper published by the University of Florida, the details of the exploit are laid-out.
Through Android’s AT commands, a remote user can tinker with the hardware’s firmware. As AT commands operate below the Google sandboxing layer, penetrating an Android Device remotely has become an open exploit for cybercriminals. AT commands enable a clever person to mine data, overwrite the Android firmware to bypass the built-in security algorithms of the OS. The good thing is the proof-of-concept proved that not all devices are created equal, as many manufacturers chose to create their own AT commands instead. This means AT command in a Samsung is different from the AT commands for an LG device.
University of Florida’s Kevin Butler Dave Tian and Grant Hernandez have demonstrated the exploit, and the team claimed: “AT commands act as a universal interface between the Android OS and lower-level components, such as the baseband modem, and we found that some vendors extend the AT command set in specific, undocumented ways to add a considerable amount of additional functionality. They appear to serve a role, likely for testing and debugging, but ensuring that access to them is controlled against untrusted and malicious adversaries is vitally important.”
As AT commands are not the same across the devices, the team further investigates the number of total AT commands with as many devices and vendors they can get a hold with. They have indicated that approximately around 3,500 AT commands are available across devices. To widen their research, they choose to further investigate the following mainstream Android devices: Note2, S7 Edge, S8+, G3, G4, ZenPhone 2, ZenPad and Nexus 5.
“We find AT commands enabling firmware flashing in Android phones, which were reported before … Once the phone is put into download mode using the AT commands …attackers can attempt to flash rooted or malware pre-installed images into the phone,” the team explained.
Public USB interface needs to be secured, as AT commands are sent via a dodgy USB connection remotely. “The attacker doesn’t need to physically be able to access the device in any way other than through the USB connection – think of a charging station at the airport, for example. The malicious charging station could run a small amount of code that puts the device into a mode where it can accept AT commands, and then they can be arbitrarily sent – in some cases, even when the device is locked,” the team emphasized.
The University of Florida researchers are hoping that with their responsible disclosure to device manufacturers, and effective patch can be issued soon to plug the AT command loophole. “We disclosed vulnerabilities to the affected vendors in February. LG and Samsung released patches in July to devices that are currently receiving security updates. LG additionally issued us a vulnerability ID (LVE-SMP-180001). Regarding Apple, we know that iPhones use AT commands, but whether they represent a security issue is currently an open research question we plan to investigate. There are other types of devices out there, such as IoT devices, that are known to respond to AT commands – these represent another set of devices that haven’t been systematically examined.”