Bluetooth to hack any android device – A recent investigation published by vulnerability testing specialists at Purdue University details a new exploit that abuses some smartphones with Android operating system through the use of malicious peripheral devices (Bluetooth and USB).
The application processor in almost any relatively recent smartphone model uses the AT Command Interface to issue high-level commands to the baseband processor, which performs common cellular network operations. There are vulnerabilities in this communication that can be exploite through the use of peripheral devices control by threat actors.
In general, a smartphone works with two interconnected processing units:
- application processor
- Baseband processor (also called a cellular modem)
It is important to mention that most current smartphones accept AT commands via Bluetooth.
The AT interface is an entry point to access the baseband processor, so any abnormal behavior when processing an AT command could cause unauthorize access to confidential information stored on the smartphone, disturbances in the operation of the cellular network, etc. other faults.
Some investigations previously carry out in reference to the failures in the AT interface focus only on finding invalid or malicious AT commands so that the manufacturers integrate a blacklist and prevent possible abuses; however, vulnerability analysis specialists consider that the scope of this approach is really limit, because although there are AT commands use by the entire mobile communications industry, smartphone manufacturers usually include their own sets of AT commands to perform various tasks . In other words, this approach is too specific.
Instead, the experts propose to design a method of analyzing the processes related to the execution of any AT command to detect any possible anomalous activity that could become an exploitable vulnerability.
Abnormal Activity Indicators:
- Syntax code errors: A device could accept invalid AT commands
- Semantic errors: Target devices process a correctly worded AT command, but the generated response does not conform to expected behavior
By exploiting an invalid command, a malicious peripheral device connected to the smartphone could access sensitive information (such as IMSI or IMEI key), or even downgrade the device’s network protocol (from 4G to 3G, for example).
They are pieces of code use to control some actions relate to the use of cellular networks. A basic set of commands was established as a standard in the mobile communications industry; on the other hand, smartphone manufacturers include their own AT commands to execute multiple functions.
Execution of AT commands via Bluetooth
It is required to pair the peripheral device (speakers, headphones, among others) with the target smartphone, establishing a communication channel. Upon receipt of an AT command, the device’s system-level Bluetooth component recognizes the command with the prefix “AT” and checks it against a list of legitimate commands. Subsequently, the AT command is sent to the Bluetooth component at the application level, where the action related to the sent command is completed.
Execution of commands via USB
If a smartphone exposes its USB Abstract Control Model (ACM) interface, it creates a device such as /dev/ttyACM0 that allows the phone to receive AT commands over the USB interface. On the other hand, on phones for which the USB modem interface is not include in the default USB configuration, changing to an alternate USB configuration allows communication to the modem via USB.
For this investigation, a list of valid AT commands and their grammar was obtained from the 3GPP standards. Not all of these commands are process or recognize by all smartphones, as this depends on the manufacturer.
The ATFuzzer Approach
ATFuzzer consists of two modules: evolution module and evaluation module, which interact in a closed way. The evolution module starts with an initial AT command grammar that is mutate to generate Psize (refers to population size, a parameter to ATFuzzer), different versions of that grammar. Specifically, ATFuzzer generates new grammars from the main grammar through the following high-level operations:
- Population Initialization
- Parent Selection
- grammar crossing
- grammatical mutation
To assess the effectiveness and scope of this approach, 10 different models of smartphones with Android operating system (from six different manufacturers) were analyze. At the conclusion of the analysis, vulnerability testing specialists discovered 4 misbehaviors in Bluetooth and another 13 in USB.
By exploiting these flaws, threat actors could deploy malicious activities such as disruption of smartphone connections, denial of service, and theft of sensitive information.
Although the security for baseband processors and command interfaces has improved remarkably compared to previous generations of smartphones, it is obvious that with current security measures it is impossible to properly analyze and filter anomalous input. According to the vulnerability analysis specialists of the International Institute of Cyber Security (IICS), a possible solution to this improper access is the elimination of the exposure of the AR modem interface via Bluetooth and USB. It’s also important to remind Android device users to avoid connecting to unknown chargers, speakers, or other peripherals.