Hacking Samsung Galaxy via Modem interface exposed via USB

“This communication channel is active even when both USB tethering and USB debugging (i.e., ADB) are disabled,” they write, “and can be accessed even when the device is locked. An attacker who gains physical access to a (possibly locked) device can thus use this interface to send arbitrary AT commands to the modem. This permits to perform several actions that should be forbidden by the lock mechanism, including placing phone calls or sending SMS messages.”

Older mobile devices expose the USB serial modem by default, meanwhile, newer phones need to be forced, in this last scenario it is not necessary that the phone is unlocked.

In the case of old Samsung mobile and firmware versions (i.e. the GT-I9192 (Samsung S4 Mini with build I9192XXUBNB1)), is is sufficient to plug the smartphone into a Linux host to expose a usb serial modem which is then accessible by using the corresponding Linux device (e.g., /dev/ttyACM0). Once established the connection to the modem it is possible to send certain AT commands. The attacker can perform a number of operations exploiting this connection, using the AT command AT+USBDEBUG command he enables USB debugging, and AT+WIFIVALUE enables the device’s Wi-Fi.

The security duo developed a proof-of-concept to analyze the attack scenario.

“For our PoC we developed a very rough C tool, usbswitcher, that switches any attached Samsung device to USB configuration #2 (this is fine for the devices we tested, but your mileage might vary). The tool uses libusb to do the job, but the same task can probably be accomplished using the /sys/bus/usb pseudo-filesystem.

The trick we used to force the phone to switch the configuration is to first reset the USB device (via usb_reset()), and then switching the configuration (via usb_set_configuration()). Sometimes it doesn’t work at the first try, so just run usbswitchertwice to ensure the configuration is switched properly :-)”

On newer mobile and firmware versions the situation is more complex as explained by the researchers.

The possible consequences of the attack are obvious, the access to the modem allows the attacker to make phone calls and send SMS messages. The command ATD+123456 allow to starts a phone call to +123456, even when the device is locked.

Below the list of devices tested by the duo:

• SM-G920F, build G920FXXU2COH2 (Galaxy S6)
• SM-N9005, build N9005XXUGBOK6 (Galaxy Note 3)
• GT-I9192, build I9192XXUBNB1 (Galaxy S4 mini)
• GT-I9195, build I9195XXUCOL1 (Galaxy S4 mini LTE)
• GT-I9505, build I9505XXUHOJ2 (Galaxy S4)

[adrotate banner=”9″]

Pierluigi Paganini 

(Security Affairs – Samsung Galaxy, serial modem)