
ATtention Spanned: Comprehensive Vulnerability Analysis of
AT Commands Within the Android Ecosystem
AT commands, originally designed in the early 80s for controlling modems, are still in use in most modern smartphones to support telephony functions. The role of AT commands in these devices has vastly expanded through vendor-specific customizations, yet the extent of their functionality is unclear and poorly documented. In this work, we systematically retrieved and extracted 3,500 AT commands from over 2,000 Android smartphone firmware images across 11 vendors. We methodically tested our corpus of AT commands against eight Android devices from four different vendors through their USB interface and characterize the powerful functionality exposed, including the ability to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, and inject touch events solely through the use of AT commands. We demonstrated that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices.
Research Artifacts
To spur further research into AT commands, we are releasing a web interface to the database of AT commands discovered. For more details on the process of extracting the commands, view the paper. If you are interested in some of the code used during this project, check out our Github. Finally, to see a demonstration of an AT command controlling a phone, view the video.
View Database View Code Read Paper
Reference
If your research benefited from our work, please use the following BibTeX to cite our paper:
@inproceedings{tian_attention_18, author = {Dave Tian and Grant Hernandez and Joseph Choi and Vanessa Frost and Christie Ruales and Kevin Butler and Patrick Traynor and Hayawardh Vijayakumar and Lee Harrison and Amir Rahmati and Mike Grace}, title = {{ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem}}, booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)}, year = {2018}, isbn = {978-1-931971-232}, address = {Baltimore, MD}, pages = {351--366}, url = {https://www.usenix.org/conference/usenixsecurity18/presentation/tian}, publisher = {{USENIX} Association}, }
FAQ
What are AT commands?
AT (ATtention) commands were first developed by Dennis Hayes in 1981 for controlling modems. These commands, when accepted by a modem in data mode (without needing a separate port), allow: selection of communication protocol, setting of line speed, dialing numbers, hanging up calls, etc. Since their inception in the 1980s, AT commands have become the preferred means of controlling modems, with standardized AT command sets being issued by authorities such as the International Telephone Union (ITU-T) and the European Telecommunications Standards Institute (ETSI).
What about AT commands on (Android) smartphones?
Smartphones contain cellular baseband processors that provide modem functionality, allowing these devices to communicate with the cellular network, and accept AT commands for configuration. Beyond just standardized modem commands, we found that some Android device manufacturers will add custom/proprietary AT commands; these extended AT commands often do not invoke telephony-related functionality but instead access other resources on the device.
How does this affect me?
On some Android smartphones, an AT command interface is exposed over USB without USB debugging enabled. Unfortunately, some devices do not authenticate this interface or allow it to be used from the lockscreen. We found that in some cases the "charge-only" USB mode may also fail to block AT commands. This means unsuspecting users who plug in their phones to a USB port for charging or data transfer may have their devices locally compromised by a (possibly pre-recorded) sequence of AT commands. Furthermore, many commands, such as those for ex-filtrating sensitive data, have no visible side-effects.
Have you found any vulnerabilities?
Yes. We have notified each vendor of any relevant findings and have worked with their security teams to remediate the issues. For LG we were assigned the vulnerability number LVE-SMP-180001.
Did you find any remotely exploitable vulnerabilities?
No. All of our investigation centered on the device's USB connection. We did not investigate remote AT attack surface, but the first places we would look would be the BlueTooth interface and the baseband.
Do you have a list of devices that this affects?
We do in our full paper linked above. While we could not test every device we tried to study more at once than previous work.
But what about X?
If you have further questions not answered by this page or by our paper, please reach out to the authors on Twitter (Grant Hernandez, Dave Tian, Kevin Butler) or via the email in the page footer.
Press Coverage
- “Exploiting Decades-Old Telephone Tech to Break into Android Devices”
— Wired - “AT Command Hitch Leaves Android Phones Open to Attack”
— Threatpost article - “Smartphone security risk compared to 'having a ghost user on your phone'”
— UF News article - “What the hack: UF research reveals smartphones can be hacked via USB”
— the independent florida alligator article - “Smartphones From 11 OEMs Vulnerable to Attacks via Hidden AT Commands”
— BleepingComputer article - “How to Protect Yourself From Public USB Charging Ports”
— How-To Geek Article - “Smartphones from 11 OEMs, Including Google, Samsung, HTC, Lenovo and Sony, Vulnerable to Attacks Via Hidden AT Commands”
— slashdot.org post - “Attention Spanned: Comprehensive Android Vulnerability Analysis of AT Commands”
— Hacker News mention - “Android mobile devices from 11 vendors are exposed to AT Commands attacks”
— Security Affairs article - “Android at the mercy of AT Commands”
— Fudzilla article - “Android smartphones can be hacked with AT commands attacks”
— Tech Worm article - “How These Android Smartphone Can Be Hacked With Simple AT commands”
— Fossbytes article - “Modern smartphones vulnerable to old-school attack”
— The Kim Komando Show article - “Open AT Commands: a Huge Loophole Exploit in Android Revealed”
— Hacker Combat Community article - “Vulnerability Found in Major Manufacturers of Android Phones”
— SecurePoint Blog article - “Smartphones are vulnerable to hacking commands for ancient modems”
— Hybrid Techcar article - “New security risk for smartphones brings you a “ghost user””
— Android Community article - “AT Commands”
— SANS Daily Network Security Podcast (Stormiest) for Monday, August 27th 2018 - “Android-Smartphones durch Modem-Befehle verwundbar”
— golem.de article - “У 11 производителей Android-смартфонов обнаружили уязвимость к AT-командам”
— Tproger article - “Злоумышленники могут получить полный удаленный доступ к Android-устройству через порт публичной USB-зарядки”
— habr article - “Miliony smartfonów można zhackować ukrytymi komendami AT”
— Niebezpiecznik article
Acknowledgments
We'd like to thank Samsung Research America for kickstarting the initial research during Dave Tian's internship and for lending us Android devices for testing.
This work was supported by the National Science Foundation under grants CNS-1540217, CNS-1526718, CNS-1564140, and CNS-1617474.