Skip to main content

Vulnerability Found In Major Manufacturers Of Android Phones 

By September 7, 2018June 3rd, 2022Cybersecurity

Researchers operating out of the University of Florida, Stony Brook University and Samsung Research America have made a disturbing discovery. Millions of Android smartphones manufactured by eleven different OEMs (Original Equipment Manufacturers) were found to be vulnerable to attack via AT Commands.

If you’re not sure what an “AT Command” is, you’re not alone. Part of the Hayes Command Set, ATtention Commands were developed in the early 1980s and designed to be transmitted via phone lines to issue commands to modems.

Most people aren’t even aware of the fact that their high-tech smartphones contain a basic modem within them, which allows the high-tech wonder to connect to the internet. While AT Commands have been standardized, many vendors have added custom AT Commands to their devices, and unfortunately, these commands can control a surprising variety of advanced features including the built-in camera and the touchscreen interface.

The AT Commands can be accessed via the phone’s USB interface. This means that a would-be attacker would have to gain physical access to the device, or place a malicious component inside a user’s charger, charging station, or USB dock.

Once a hacker is connected in this manner to the victim’s phone, he could use one of the AT Commands to steal data, unlock the screen, mimic touchscreen events, or even rewrite the phone’s firmware.

The research team has complied a database of phone models and firmware versions that are vulnerable to this type of attack. They have contacted all the vendors, and are continuing their testing.

Initially, the team tested AT Commands via the USB interface. Phase two of the research will test to see if those commands can be issued via WiFi or Bluetooth connections. The team has also published the Shell script they used in their original testing, available on GitHub.

So far, none of the OEMs contacted have released any information or given a timetable for a fix.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.