Security researchers from Purdue and Iowa Universities (USA) discovered vulnerabilities in several popular Android phones, exploiting which an attacker through the accessories could gain access to the firmware of the radio module (baseband) and thus track their users.Criminals can trick vulnerable phones into revealing unique identifiers, such as IMEI and IMSI numbers, force a smartphone to use an insecure connection to intercept phone calls, transfer calls or block all phone calls and Internet access altogether.
According to the researchers, the problem affects at least 10 popular Android devices, including Google Pixel 2, Huawei Nexus 6P and Samsung Galaxy S8 Plus.
Vulnerabilities were found in the interface used to communicate with the firmware of the radio module, which allows the phone’s modem to communicate with the cellular network – to make phone calls or connect to the Internet. This software is usually isolated from other applications and often sold with a blacklist of commands to prevent the launch of unimportant commands.
According to the researchers, some phones inadvertently provide Bluetooth and USB accessories, such as headphones and headsets, with access to the firmware of the radio module. Using vulnerable accessories, an attacker can execute commands on Android smartphones connected to them.
“The impact of these attacks ranges from disclosing user confidential information to a complete denial of service”, – say the researchers.
The firmware of the radio module is capable of receiving special AT-commands that control the cellular functions of the device. As the researchers found, commands can be manipulated.
During testing, the researchers found 14 commands that can be used to trick vulnerable Android phones, steal sensitive data and manage calls.
As the researchers explained, low-cost Bluetooth connectors or malicious USB charging stations can be used for attacks. Thus, an attacker can manipulate a smartphone using a computer (if the accessory is reachable via the Internet) or through a connection to a Bluetooth device (for this, the attacker must be in close proximity to it).
“If the smartphone is connected to a headset or any other Bluetooth device, the attacker can first exploit vulnerabilities in the Bluetooth protocol, and then inject malicious AT-commands”, – note the researchers.
User Review( votes)