Security researchers have found that some popular Android phones can cheat on their snooping by exploiting the weaknesses of accessing the phone’s native baseband software.

An attacker can use this access to trick a vulnerable phone into giving up unique identifiers such as IMEI and IMSI numbers, intercepting a phone call, forwarding a call to another phone, or blocking the connection of a target to block all phone and Internet access. You can downgrade.

This research, shared exclusively with TechCrunch, affects more than 10 popular Android devices, including Google Pixel 2, Huawei’s Nexus 6P, and Samsung Galaxy S8 +.

This vulnerability is found in the interface used to communicate with the software baseband firmware that allows a telephone modem, such as a telephone modem or a telephone connection or an Internet connection, to communicate with the cell network. Given its importance, basebands are usually free of limitations with the rest of the devices, including apps, and often come with a command block list to prevent non-critical commands from running. But researchers have found that many Android phones accidentally allow Bluetooth and USB accessories such as headphones and headsets to access the baseband. An attacker could exploit the vulnerable accessory to execute commands on a connected Android phone.

“The impact of these attacks is complete coverage of sensitive user information exposure,” said Ed Rafiul Hussein and two co-authors of Imtiaz Karim, an email for research TechCrunch.

Hussain and his colleagues Imtiaz Karim, Fabrizio Cicala of Purdue University, and Elisa Bertino and Omar Chowdhury of Iowa University will present their results next month.

“The impact of these attacks ranges from exposing sensitive user information to complete service outages.”
Syed Rafiul Hussain, Imtiaz Karim

The baseband firmware accepts special commands called AT commands that control the cellular functions of the device. You can use this command to find out the phone number to call your modem. But researchers have found that these commands can be manipulated. Researchers have developed a tool called ATFuzzer that tries to find potentially problematic AT commands.

Researchers have found 14 commands that allow vulnerable Android phones to leak sensitive device data and trick them to manipulate the phone.

However, not all devices are vulnerable to the same commands or can be manipulated in the same way. For example, researchers have found that certain orders can induce Galaxy S8 + phones to leak IMEI numbers, redirect phones to other phones, and downgrade cell phone connections known stingray known as expert cell snooping hardware. Other device manipulations were not callable to calling, but the
blocks were vulnerable to commands available for internet connection and phone calls.

This vulnerability is not difficult to exploit, but all correct conditions must be met.

Hussain and Karim said, “We can easily carry out the attack by using a cheap Bluetooth connector or by installing a malicious USB charging station. That is, you can operate the phone if you can access the accessories via the Internet, such as a computer. Or if the phone is connected to a Bluetooth device, the attacker must be close. (Vulnerabilities in the way some devices implement Bluetooth make Bluetooth attacks not difficult if some devices are more vulnerable to attack than others.)

“If the smartphone is connected with headphones or other Bluetooth devices, the attacker can first exploit the inherent vulnerability of the Bluetooth connection and then inject the wrong AT command,” the researchers said.

Samsung is aware of some device vulnerabilities and is releasing patches. Huawei did not mention it at the time of writing. “The reported problem is not reproduced on pixel devices that comply with the Bluetooth specification or have the latest security patches,” Google said.

Hussein said the iPhone was not affected by this vulnerability.

This study has been updated to investigate vulnerabilities in baseband firmware. Over the years there have been several papers investigating various phones and devices with baseband vulnerabilities. While these reports are rare, security researchers have long warned that intelligence agencies and hackers can use these flaws to launch automated attacks.