Modems in a number of Samsung Galaxy devices are open to receiving AT commands over the USB cable even when they are locked.
Do you know that modems in a number ofÂ Samsung Galaxy devices are open to receiving AT commands over the USB cable even when they are locked?
The circumstance is serious if we consider that is is very common to leaveÂ a locked phone on their desk believing that no one could access it.
A number of researchers and users are discussing the issue on Github, in particular,Â security experts Roberto Paleari and Aristide Fattori reported that devices connected via USB to a computer automatically expose, or can be forced to do it, a serial interface that interacts directly with the USB modem.
â€śThis communication channel is active even when both USB tethering and USB debugging (i.e., ADB) are disabled,â€ť they write, â€śand can be accessed even when the device is locked. An attacker who gains physical access to a (possibly locked) device can thus use this interface to send arbitrary AT commands to the modem. This permits to perform several actions that should be forbidden by the lock mechanism, including placing phone calls or sending SMS messages.â€ť
Older mobile devices expose the USB serial modem by default, meanwhile, newer phones need to be forced, in this last scenario it is not necessary that the phone is unlocked.
In the case ofÂ old Samsung mobile and firmware versions (i.e. the GT-I9192 (Samsung S4 Mini with build I9192XXUBNB1)), is is sufficient to plug the smartphone into a Linux host to exposeÂ aÂ usbÂ serial modem which is then accessible by using the corresponding Linux device (e.g.,Â /dev/ttyACM0). Once established the connection to the modem it is possible to send certain AT commands. The attacker can perform a number of operations exploiting this connection, using the AT commandÂ AT+USBDEBUGÂ command he enables USB debugging, andÂ AT+WIFIVALUEÂ enables the deviceâ€™s Wi-Fi.
The security duo developed a proof-of-concept to analyze the attack scenario.
â€śFor our PoC we developed a very rough CÂ tool,Â usbswitcher,Â that switches any attached Samsung device to USB configuration #2 (this is fine for the devices we tested, but your mileage might vary). The tool usesÂ libusbÂ to do the job, but the same task can probably be accomplished using theÂ /sys/bus/usbÂ pseudo-filesystem.
The trick we used to force the phone to switch the configuration is to first reset the USB device (viaÂ usb_reset()), and then switching the configuration (viaÂ usb_set_configuration()). Sometimes it doesnâ€™t workÂ atÂ the first try, so just runÂ usbswitchertwice to ensure the configuration is switched properly :-)â€ť
On newer mobile and firmware versions the situation is more complex as explained by the researchers.
â€śExploitation of this vulnerability on more recent firmware versions (e.g., latest versions of the Samsung S4 and Samsung S6 software) is not so straightforward: in the default configuration, when the device is connected it exposes to the host only a MTP interface, used for file transfer.
However, we discovered that an attacker can still access the modem by switching to secondary USB configuration. As an example, consider our test Galaxy S6 device. When USB debugging is off, the device exposes two USB configurations, with the CDC ACM modem accessible via configuration number 2.â€ť
The possible consequences of the attack are obvious, the access to the modem allows the attacker to make phone calls and send SMS messages. The commandÂ ATD+123456 allow to starts a phone call to +123456, even when the device is locked.
Below the list of devices tested by the duo:
- SM-G920F, build G920FXXU2COH2 (Galaxy S6)
- SM-N9005, build N9005XXUGBOK6 (Galaxy Note 3)
- GT-I9192, build I9192XXUBNB1 (Galaxy S4 mini)
- GT-I9195, build I9195XXUCOL1 (Galaxy S4 mini LTE)
- GT-I9505, build I9505XXUHOJ2 (Galaxy S4)