Hacking

Android mobile devices from 11 vendors are exposed to AT Commands attacks

A group of researchers has conducted an interesting study on AT commands attacks on modern Android devices discovering that models of 11 vendors are at risk

A group of researchers from the University of Florida, Stony Brook University, and Samsung Research America, has conducted an interesting research on the set of AT commands that are currently supported on modern Android devices.

The experts published a research paper titled “ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem,” the findings of their study has been presented at the Usenix Security Symposium a few days ago.

The research revealed that millions of mobile devices from eleven smartphone vendors are vulnerable to attacks carried out using AT commands.

AT (ATtention) commands is a set of short text strings that can be combined to perform a series for operations on mobile devices, including dialing, hanging up, and changing the parameters of the connection.

The AT commands can be transmitted via phone lines and control modems

Even if international telecommunications regulators have defined the list of AT commands that all smartphones must implement, many vendors have also added custom AT command sets that could be used to manage some specific features of the devices (i.e. camera control).

The experts analyzed over 2,000 Android firmware images from eleven Android OEMs (ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE) and discovered that the devices support over 3,500 different types of AT commands.

The researchers shared their findings with all affected vendors. The team published a website containing the list of phone models and firmware versions that expose the AT interface.

In some cases, using the custom AT commands it was possible to access very dangerous features implemented by the vendors. In many cases, the commands are not documented by vendors.

The experts discovered that almost any devices accept AT commands via the phone’s USB interface. To abuse the AT commands, the attacker needs to have physical access to the device or use an evil component in a USB dock or a charger.

“we systematically retrieve and extract 3,500 AT commands from over 2,000 Android smartphone firmware images across 11 vendors. We methodically test our corpus of AT commands against eight Android devices from four different vendors through their USB interface and characterize the powerful functionality exposed, including the ability to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, and inject touch events solely through the use of AT commands.” reads the research paper.

“We demonstrate that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices.”

Experts explained that AT commands could be abused by attackers to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, and perform other malicious activities.

Another disconcerting discovery made by the experts is that it is possible to submit AT commands even if the phone had entered a locked state.

“In many cases, these commands are completely undocumented,” said Kevin Butler, an associate professor in the University of Florida Herbert Wertheim College of Engineering and a member of the research team, revealing that an OEM’s documentation doesn’t even mention their presence.

Experts demonstrated that arbitrary touchscreen events can be injected over USB  mimicking touchscreen taps, a trick that could give an attacker the take full control over a mobile device.
“Commands for sending touchscreen events and keystrokes are also discovered for LG phones and the S8+; we can see the indications on the screen. We suspect these AT commands were mainly designed for UI automation testing, since they mimic human interactions. Unfortunately, they also enable more complicated attacks which only requires a USB connection” continues the paper.

The researchers published a Shell script that they used during for their tests, it allowed them to find strings containing ATcommands in the examined images.

“AT commands have become an integral part of the Android ecosystem, yet the extent of their functionality is unclear and poorly documented.” concludes the experts.

“We demonstrate that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – ATcommands, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…

3 hours ago

Ivanti fixed two EPMM flaws exploited in limited attacks

Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…

5 hours ago

Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days

Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including…

13 hours ago

Fortinet fixed actively exploited FortiVoice zero-day<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

Fortinet fixed a critical remote code execution zero-day vulnerability actively exploited in attacks targeting FortiVoice…

16 hours ago

How Interlock Ransomware Affects the Defense Industrial Base Supply Chain

Interlock Ransomware 's attack on a defense contractor exposed global defense supply chain details, risking…

1 day ago

Marks and Spencer confirms data breach after April cyber attack

Marks and Spencer (M&S) confirms that threat actors stole customer data in the ransomware attack…

1 day ago