This article is more than 1 year old

Samsung's dimmer Galaxies can make calls when locked, cabled

Talk AT commands at the phone over USB and see wait for the fun to start

A bunch of Samsung Galaxy variants leave their modems open to receiving AT commands over the USB cable, even when they're locked.

The vulnerability is discussed by its discoverers at Github.

Before you dismiss the vulnerability as a local privilege escalation (which it is), consider how many people would be happy leaving a locked phone on their desk because you need the code to unlock it.

The researchers, Roberto Paleari and Aristide Fattori, write that when connected to a laptop via the USB cable, the phones either automatically expose, or can be forced to expose, a serial interface that communicates with the USB modem.

“This communication channel is active even when both USB tethering and USB debugging (i.e., ADB) are disabled,” they write, “and can be accessed even when the device is locked. An attacker who gains physical access to a (possibly locked) device can thus use this interface to send arbitrary AT commands to the modem. This permits to perform several actions that should be forbidden by the lock mechanism, including placing phone calls or sending SMS messages.”

Older devices expose the USB serial modem by default – for example, it turns up on a Linux laptop in /dev as a TTY device. For newer units, the attacker would have to switch the device to USB configuration number 2 – but the phone doesn't have to be unlocked for that to happen, as the researchers explain:

“For our PoC we developed a very rough C tool, usbswitcher, that switches any attached Samsung device to USB configuration #2 (this is fine for the devices we tested, but your mileage might vary). The tool uses libusb to do the job, but the same task can probably be accomplished using the /sys/bus/usb pseudo-filesystem.

The trick we used to force the phone to switch the configuration is to first reset the USB device (via usb_reset()), and then switching the configuration (via usb_set_configuration()). Sometimes it doesn't work at the first try, so just run usbswitcher twice to ensure the configuration is switched properly :-)”

On newer phones, the researchers say, the most dangerous vulnerability – that the attacker can get access to the Android userspace – has been plugged. An attacker can still, however, place calls and send text messages.

On older devices (their example is an S4 mini), commands can be used to abuse some Android settings. For example, the AT+USBDEBUG command enables USB debugging, and AT+WIFIVALUE enables the device's Wi-Fi.

Just how far into userspace an attacker could get, the pair leave to others to explore.

Their demonstration video, a teaser Tweeted in December, is below. ®

More about

TIP US OFF

Send us news


Other stories you might like