In various Samsung Galaxy devices, it is possible to send AT commands through USB cables — The most startling fact is that it is possible even if the devices are locked
You might be thinking that it is not a serious issue. But think again… don’t we leave our phones on our desks thinking that since these devices are locked so no one could access them?. Now do you understand the gravity of the issue?
According to security gurus Roberto Paleari and Aristide Fattori, the devices that we connect to our computers via USB get exposed automatically and it is also possible to make them vulnerable to exposure simply through a serial interface that is in direct link with the USB modem. It has been identified that older mobile devices such as the Samsung S4 Mini with build I9192XXUBNB1 can be accessed automatically while the newer versions need to be forced. However, in either scenario whether the phone is locked or unlocked the result would be the same.
The researchers believe that “this communication channel is active even when both USB tethering and USB debugging (i.e., ADB) are disabled, and can be accessed even when the device is locked. An attacker who gains physical access to a (possibly locked) device can thus use this interface to send arbitrary AT commands to the modem. This permits to perform several actions that should be forbidden by the lock mechanism, including placing phone calls or sending SMS messages.”
In older versions, the smartphone has to be plugged into a Linux host, which exposes it to a USB serial modem. It thus, becomes accessible through the use of the corresponding Linux device like the /dev/ttyACM0. When the connection is created, then AT commands can easily be sent and the hacker may even conduct a series of operations to exploit the device. The attacker can use the AT command AT+USBDEBUG command to enable USB debugging or the enable the wireless network, the AT+WIFIVALUE can be used.
List of vulnerable devices:
SM-G920F, build G920FXXU2COH2 (Galaxy S6)
SM-N9005, build N9005XXUGBOK6 (Galaxy Note 3)
GT-I9192, build I9192XXUBNB1 (Galaxy S4 mini)
GT-I9195, build I9195XXUCOL1 (Galaxy S4 mini LTE)
GT-I9505, build I9505XXUHOJ2 (Galaxy S4)
To analyze and prove the attack possibility, the security experts developed a proof-of-concept too.
— Roberto Paleari (@rpaleari) December 10, 2015
On several Samsung phone models, unprivileged applications can
perform "stealth calls" (i.e., with no visible clue) pic.twitter.com/cMJWcqZ0yg
— Roberto Paleari (@rpaleari) February 22, 2016
They acknowledged in their write-up that: “For our PoC we developed a very rough C tool, USB switcher, that switches any attached Samsung device to USB configuration #2 (this is fine for the devices we tested, but your mileage might vary). The tool uses libusb to do the job, but the same task can probably be accomplished using the /sys/bus/usb pseudo-filesystem.”
“The trick we used to force the phone to switch the configuration is to first reset the USB device (via usb_reset()), and then switching the configuration (via usb_set_configuration()). Sometimes it doesn’t work on the first try, so just run Usb switcher twice to ensure the configuration is switched properly :-)”
While the technique for exploiting new devices is a bit more complex. The researchers explain that exploiting this sort of vulnerability in new smartphone or firmware versions such as the Samsung S4 and
S6 isn’t that easy and straightforward because “in the default configuration, when the device is connected it exposes to the host only an MTP interface, used for file transfer.”
But the experts identified that the modem can still be accessed by an attacker simply by: “switching to secondary USB configuration. As an example, consider our test Galaxy S6 device. When USB debugging is off, the device exposes two USB configurations, with the CDC ACM modem accessible via configuration number 2.”
In case you are wondering how the attacker can benefit from this trick then for your information access to modems allows attackers to send a text message and make phone calls even if the device is locked. Such as using the AT command ATD+123456 will allow the attacker to call +123456.