A new security exploit affecting several high-profile Android smartphones through maliciously modified Bluetooth and USB accessories has been discovered. Researchers at Purdue University and the University of Iowa have published a paper detailing how the baseband processors of several popular Android smartphones can be compromised in order to grant a an attacker wide-ranging permissions. By using specially crafted Bluetooth or USB accessories, the researchers were able to demonstrate how such modified accessories or even man-in-the-middle techniques can be used to execute instructions known as AT commands to control the baseband's functionality. The study examined multiple devices from Samsung, LG, HTC, Google, Motorola, and Huawei which are older models but still widely in use.
Amongst other things, the researchers were able to intercept IMEI numbers and network and roaming status, which can potentially be used to identify or track targets. They were also able to perform Denial of Service (DoS) attacks, disrupt Internet connectivity, and trigger functions such as DND, call forwarding, call blocking, and much more. Standard AT commands from publicly available 3GPP documentation.
Ten devices from six manufacturers were tested; the Samsung Galaxy S8+ (Review), Google Pixel 2 (Review), Huawei Nexus 6P (Review), and Motorola Nexus 6 (Review), as well as the older Samsung Galaxy Note 2, Samsung Galaxy S3, LG G3, LG Nexus 5, HTC Desire 10 Lifestyle, and Huawei P8 Lite. Not all were found to be vulnerable to both USB and Bluetooth attack vectors. Accessories such as headsets, speakers, and even chargers could potentially be used to attack phones in this manner.
According to the research team, smartphones are not supposed to expose the AT command interface to Bluetooth and USB inputs in such a manner. The research paper is available to read, and details of the exploit itself can be found in a Github repository, as pointed out by Techcrunch. The paper will be presented at the 35th Annual Computer Security Applications Conference in December.
The affected phones used baseband processors manufactured by Qualcomm, Samsung, and HiSilicon (a subsidiary of Huawei). The researchers notified all the affected smartphone and baseband vendors, and waited the customary 90 days before going public with their findings. Samsung has committed to releasing patches for its devices.
As always, users are cautioned that there are risks in connecting to unknown accessories or even using public chargers.