Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Smartphones From 11 OEMs Vulnerable to Attacks via Hidden AT Commands

posted by mrpg on Monday August 27 2018, @07:39PM   Printer-friendly
from the +++ dept.

MrPlow writes:

Submitted via IRC for BoyceMagooglyMonkey

[...] Unknown to the common user is that modern smartphones include a basic modem component inside them, which allows the smartphone to connect to the Internet via its telephony function, and more.

While international telecommunications bodies have standardized basic AT commands, dictating a list that all smartphones must support, vendors have also added custom AT command sets to their own devices —commands which can control some pretty dangerous phone features such as the touchscreen interface, the device's camera, and more.

[...] Once an attacker is connected via the USB to a target's phone, he can use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.

Source: https://www.bleepingcomputer.com/news/security/smartphones-from-11-oems-vulnerable-to-attacks-via-hidden-at-commands/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Smartphones From 11 OEMs Vulnerable to Attacks via Hidden AT Commands | Log In/Create an Account | Top | 19 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by looorg on Monday August 27 2018, @07:45PM (4 children)

    by looorg (578) on Monday August 27 2018, @07:45PM (#727101)

    So we can now wait for the avalanche of malware apps that will start to dial some really expensive toll-/pay-numbers when it notes that the phone is idle and you are most likely asleep. Only much much later will you figure out the massive cost as you see you get your phonebill. Should be more money in that then in say having someone mine crypto on your phone.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 1) by nitehawk214 on Monday August 27 2018, @07:50PM (1 child)

    by nitehawk214 (1304) on Monday August 27 2018, @07:50PM (#727103)

    I was going to post a comment with the title "ATDT8675309"

    I did not know that AT commands were still a thing.

    --
    "Don't you ever miss the days when you used to be nostalgic?" -Loiosh

    • (Score: 2) by EETech1 on Tuesday August 28 2018, @03:12AM

      by EETech1 (957) on Tuesday August 28 2018, @03:12AM (#727218)

      Jenny has probably long since changed her number anyway:(

  • (Score: 1, Touché) by Anonymous Coward on Monday August 27 2018, @08:28PM

    by Anonymous Coward on Monday August 27 2018, @08:28PM (#727119)

    You could always do both

  • (Score: 3, Interesting) by Anonymous Coward on Monday August 27 2018, @10:38PM

    by Anonymous Coward on Monday August 27 2018, @10:38PM (#727162)

    Apps aren't the attack vector for this issue, it's the USB port. So if you're charging your phone through your laptop/PC then it could be compromised via malware on the computer. Further the phone likely requires additional drivers to enable the modem. For example, my Samsung phones require installing a driver package from their website (not available via Windows Update). So the phone will charge and do MTP out of the box but the modem won't be accessible; at least not on Windows. Not sure if the same is true on Linux and Mac.

    The bigger risk will be using public charging stations (avoid trains and airports). If you must use them then get yourself a USB cable that lacks the data lines so nothing can talk to your device.

    Also, malicious apps that fraudulently dial/text have been a thing for a very long time...