How to use headphones or Bluetooth to hack and take control of any Android device

A recent research published by vulnerability testing specialists from Purdue University details a new exploit that abuses some Android operating system smartphones through the use of malicious peripheral devices (specifically through Bluetooth and USB).

The application processor of almost any relatively recent smartphone model uses the AT Command Interface to launch high-level commands to the baseband processor, which performs common cellular network operations. There are vulnerabilities in this communication that can be exploited by using peripheral devices controlled by threat actors.

Typically, a smartphone works with two interconnected processing units:

  • Application processor
  • Baseband processor (also called cellular modem)

It is important to mention that most current smartphones accept AT commands via Bluetooth.

The AT interface is an entry point for accessing the baseband processor, so any anomalous behavior when processing any AT command could cause unauthorized access to sensitive information stored on the smartphone, alterations in the operation of the cellular network, among other flaws.  

IT interface on Android devices
ATFuzzer: Dynamic Analysis of AT Interface for Android

Some research previously conducted regarding failures in the AT interface focuses only on finding invalid or malicious AT commands for manufacturers to blacklist them and prevent possible abuse behavior; however, vulnerability testing specialists consider the scope of this approach to be really small, because although there are AT commands used by the entire mobile communications industry, every single smartphone manufacturer often include its own sets of AT commands to perform various tasks. In other words, this approach is too specific.

Instead, experts propose to design a method of analyzing processes related to the execution of any AT command to detect any possible anomalous activity that may become an exploitable vulnerability.

Indicators of abnormal activity:

  • Syntactic code errors: A device could accept invalid AT commands
  • Semantic errors: Targeted devices process a properly grammar AT command, but the generated response does not match to the expected behavior

When an invalid command gets exploited, a malicious peripheral device connected to the targeted smartphone might access sensitive information (such as IMSI key or IMEI), or even degrade the device’s network protocol (4G to 3G, for example).

AT commands

These are code snippets used to control some tasks related to cellular network usage. A basic set of commands was established as a standard in the mobile communications industry; on the other hand, smartphone manufacturers include their own AT commands to run multiple functions.

Running AT commands via Bluetooth

It is required to pair the peripheral device (speakers, headsets, etc.) with the targeted smartphone, establishing a communication channel. When receiving an AT command the system-level Bluetooth component of the device recognizes the command with the prefix “AT” and contrasts it with a list of legitimate commands. The AT commands is then sent to the Bluetooth component at the application level, where the action related to the sent command is completed.

Running AT commands via USB

If a smartphone exposes its USB Abstract Control Model (ACM) interface, it creates a tty device such as /dev/ttyACM0 that allows the phone to receive AT commands through the USB interface. On the other hand, on phones for which the USB modem interface is not included in the default USB configuration, switching to an alternate USB configuration allows communication to the modem via USB.

For this research, a list of valid AT commands and their grammar was obtained from 3GPP standards. Not all of these commands are processed or recognized by all smartphones, as this depends on the manufacturers.

The ATFuzzer approach

ATFuzzer, the analysis method developed by the researchers, consists of two modules: evolution module and evaluation module, which interact in a closed way. The evolution module starts with an initial AT command grammar that mutates to generate Psize (refers to population size, a parameter for ATFuzzer), different versions of that grammar. Specifically, ATFuzzer generates new grammars from the main grammar through the following high-level operations:

  1. Population initialization
  2. Parent select
  3. Grammar crossing
  4. Grammatical mutation
ATFuzzer approach
ATFuzzer: Dynamic Analysis of AT Interface for Android

To assess the effectiveness and scope of this approach, 10 different models of Android operating system smartphones (from six different manufacturers) were analyzed. Upon completion of the analysis, vulnerability testing specialists discovered 4 misbehaviors in Bluetooth and 13 others on USB.

By exploiting these flaws, threat actors could deploy malicious activities such as disruption of smartphone connections, denial of service (DoS), and theft of sensitive information.

Although security for baseband processors and command interfaces has improved markedly over previous generations of smartphones, it is obvious that with current security measures it is impossible to properly analyze and filter an anomalous input. According to the vulnerability testing specialists from the International Institute of Cyber Security (IICS), a possible solution to this improper access is the removal of exposure of the AR modem interface via Bluetooth and USB. It’s also important to remind Android device users to avoid connecting to chargers, speakers, or other unknown peripherals.