Fri. Jul 10th, 2020

Over one million Android devices are vulnerable to AT command set attacks

2 min read

A research team consisting of the University of Florida and the State University of New York recently announced the AT command attack vulnerability of multiple mobile devices.

The AT command is a short-string command set developed in the last century for controlling modem transmissions such as dialling or changing related parameters through a mobile network.

While today’s mobile devices include modems for connecting to mobile networks, AT commands have been around for many years but are still in use today.

Some AT commands may have weaknesses that are vulnerable to attack:

It is worth noting that international telecom organisations have standardised the AT command set and forced device support, but multiple vendors will add additional custom commands.

The research team found that some vendors’ custom AT commands has weaknesses that can be exploited, such as bypassing the lock screen interface and bypassing the security check mechanism.

Fortunately, these weak AT commands set need to be available through a USB connected device, which means that an attacker must physically touch the device to attack.

Besides, if you want to exploit the AT command set vulnerability successfully, you need to enable the USB debugging mode. If you do not allow the debugging mode, you will not be able to use it successfully.

Involving multiple vendors and firmware, there are security risks:

As mentioned above, an attacker who wants to implement an attack successfully also needs a USB connection, so theoretically the weakness of the AT command set does not cause a large-scale attack.

However, the potential AT command hidden danger is used by the attacker to engage in commercial espionage. This targeted attack is used to steal confidential information of the target device.

The research team said that after connecting via USB, it could successfully bypass Android security mechanism, perform screen unlock operation, install malware implementation monitoring, and so on.

Such problems exist in ASUS, Google, HTC, Huawei, Lenovo, LG, Motorola, Samsung, Sony, ZTE and LineageOS firmware.

Turning off USB debugging is a good practice:

The USB debugging function of Android system itself has a high danger. After this function is enabled, the screen lock password can be bypassed even if the AT command is not applied.

And a variety of messy housekeeper assistants can implement the silent installation function, that is, the device is connected to the computer via USB to install the application without prompting.

Therefore, for ordinary users, if you do not use a variety of housekeeper assistants often, then do not turn on USB debugging, the threat of the device will rise sharply after the device is turned on.

At present, the research team has also notified the relevant information of the AT command set to the manufacturer. It is expected that some manufacturers will release new firmware to fix the weaknesses.