INSUBCONTINENT EXCLUSIVE:
Security researchers have found several popular Android phones can be tricked into snooping on their owners by exploiting a weakness that
gives accessories access to the phone underlying baseband software.
Attackers can use that access to trick vulnerable phones into giving up
their unique identifiers, such as their IMEI and IMSI numbers, downgrade a target connection in order to intercept phone calls, forward
calls to another phone or block all phone calls and internet access altogether.
The research, shared exclusively with TechCrunch, affects at
least 10 popular Android devices, including Google Pixel 2, Huawei Nexus 6P and Samsung Galaxy S8+.
The vulnerabilities are found in the
interface used to communicate with the baseband firmware, the software that allows the phone modem to communicate with the cell network,
such as making phone calls or connecting to the internet
Given its importance, the baseband is typically off-limits from the rest of the device, including its apps, and often come with command
blacklisting to prevent non-critical commands from running
But the researchers found that many Android phones inadvertently allow Bluetooth and USB accessories — like headphones and headsets —
By exploiting a vulnerable accessory, an attacker can run commands on a connected Android phone.
&The impact of these attacks ranges from
sensitive user information exposure to complete service disruption,& said Syed Rafiul Hussain and Imtiaz Karim, two co-authors of the
research, in an email to TechCrunch.
Hussain and his colleagues Imtiaz Karim, Fabrizio Cicala and Elisa Bertino at Purdue University and
Omar Chowdhury at the University of Iowa are set to present their findings next month.
&The impact of these attacks ranges from sensitive
user information exposure to complete service disruption.&Syed Rafiul Hussain, Imtiaz Karim
Baseband firmware accepts special commands,
known as AT commands, which control the device cellular functions
These commands can be used to tell the modem which phone number to call
But the researchers found that these commands can be manipulated
The researchers developed a tool, dubbed ATFuzzer, which tries to find potentially problematic AT commands.
In their testing, the
researchers discovered 14 commands that could be used to trick the vulnerable Android phones into leaking sensitive device data, and
manipulating phone calls.
But not all devices are vulnerable to the same commands or can be manipulated in the same way
The researchers found, for example, that certain commands could trick a Galaxy S8+ phone into leaking its IMEI number, redirect phone calls
to another phone and downgrade their cellular connection — all of which can be used to snoop and listen in on phone calls, such as with
specialist cellular snooping hardware known as &stingrays.& Other devices were not vulnerable to call manipulation but were susceptible to
commands that could be used to block internet connectivity and phone calls.
The vulnerabilities are not difficult to exploit, but require
all of the right conditions to be met.
&The attacks can be easily carried out by an adversary with cheap Bluetooth connectors or by setting
up a malicious USB charging station,& said Hussain and Karim
In other words, it possible to manipulate a phone if an accessory is accessible over the internet — such as a computer
Or, if a phone is connected to a Bluetooth device, an attacker has to be in close proximity
(Bluetooth attacks are not difficult, given vulnerabilities in how some devices implement Bluetooth has left some devices more vulnerable to
attacks than others.)
&If your smartphone is connected with a headphone or any other Bluetooth device, the attacker can first exploit the
inherent vulnerabilities of the Bluetooth connection and then inject those malformed AT commands,& the researchers said..
Samsung recognized
the vulnerabilities in some of its devices and is rolling out patches
Huawei did not comment at the time of writing
Google said: &The issues reported are either in compliance with the Bluetooth specification or do not reproduce on Pixel devices with up to
date security patches.&
Hussain said that iPhones were not affected by the vulnerabilities.
This research becomes the latest to examine
vulnerabilities in baseband firmware
Over the years there have been several papers examining various phones and devices with baseband vulnerabilities
Although these reports are rare, security researchers have long warned that intelligence agencies and hackers alike could be using these
flaws to launch silent attacks.
New flaws in 4G, 5G allow attackers to intercept calls and track phone locations
