As time marches on, old technology is often relegated to the dustbins of the unused and obsolete — that cold and lonely graveyard where VHS tapes, floppy disks, and dial-up internet sounds reside (remember these?).
Our smartphones, of course, may have evolved into these little pocket-sized computer powerhouses but they’re still called “phones” for a rather obvious reason — we still use them to make calls via the cellular network. (You still do, right?)
As such, modern smartphones have inherited certain functions and quirks that old-school phones had. And now, as it turns out, far from forgotten, some of this old-school tech can still be exploited for serious attacks!
Read on and see why these newly discovered vulnerabilities can be devastating.
According to the combined efforts of eleven researchers from the University of Florida, Stony Brook University and Samsung Research America, modern Android smartphones are still vulnerable to dangerous AT commands.
What are AT (Attention) commands? Also known as the Hayes command set, these codes were developed way back in the 80’s to command a modem to dial, hang up or change connection settings. Since AT commands were designed to be transmitted via regular phone lines, they are typically short and simple to execute.
Now you may think that in this era of smartphones and the internet, these old school codes should be obsolete by now. Well, think again.
Dangerous AT commands can be exploited
It turns out that even modern smartphones still have a basic modem included in them and they are still vulnerable to a wide variety of AT commands!
The researchers have analyzed more than 2,000 Android firmware images from eleven smartphone manufacturers including ASUS, Google, HTC, Huawei, Lenovo, LG, Motorola, Samsung, Sony, and ZTE.
What they discovered is quite alarming. They said that these Android phones they analyzed still support over 3,500 types of AT commands, including specific carrier commands that could allow access to critical functions like camera and touchscreen control.
How this attack can be launched
For now, the researchers noted that these AT command attacks can only be launched via a smartphone’s USB interface. This means an attacker still has to either gain physical access to a victim’s gadget, or boobytrap a USB interface (accessories, charging stations, etc.) to execute the commands.
Once a gadget is compromised via its USB port, an attacker can then issue secret AT commands to bypass Android security, rewrite firmware, steal data, and even replicate touch commands. In some instances, the AT commands can only be used when an Android gadget’s USB debugging mode is enabled.
However, the researchers warned that many phones still allowed direct access to AT commands even when they are locked. Scarier still, many of the commands are undocumented and not even the phone manufacturer’s documentation mention them anywhere.
As you can see in the video below, the biggest risk comes from a hacker’s ability to replicate touch display taps solely via AT commands. With these codes, an attacker can take full control of an Android gadget and even install further malicious apps.
What phones are affected?
The researchers have published a webpage containing a list of all the manufacturers and phone models that they found to be vulnerable to AT commands. It’s a very extensive database but you can sort through them via manufacturer and the models are alphabetically arranged.
The affected vendors and companies have also been notified about the security risks and we’re expecting that patches against these AT command vulnerabilities will be rolled out soon. Although these initial findings are confined to Android phones and their USB interfaces, researchers are also currently testing similar attacks on iPhones, as well as wireless vectors such as over Wi-Fi and Bluetooth interfaces.
For a more detailed look at this study, you can read the team’s research paper, “ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem.”
Beware of public charging stations
Since this attack can only be launched via a phone’s USB interface (for now), the obvious way to protect yourself is to keep your eye on your smartphone at all times. Additionally, beware of public charging stations and unknown USB accessories.
Your safest bet is to bring your own USB cable and charger and plug it directly into a wall outlet. If you’re traveling, a phone charging kit is one of the essential things you’ll need to bring anyway.
If you don’t have your cable or charger or if there’s no available wall outlet, another way to prevent booby-trapped charging stations from attacking your phone is to simply turn it off and keep it off while you are connected. Just unplug then turn it on after an hour or so of charging.