Security Researchers have found vulnerabilities in ten popular Android devices that can be exploited to snoop on device owners using Bluetooth and USB accessories.
The vulnerabilities are in the AT commands that are used to communicate with the baseband software in Android smartphones.
Hackers can use this to gain IMEI and IMSI numbers, intercept calls, forward calls to another number, block the calling feature, kill internet access and much more.
Here are those ten Android devices impacted by the vulnerability:
- Samsung Galaxy S8+
- Samsung Galaxy S3
- Samsung Note 2
- Huawei P8 Lite
- Huawei Nexus 6P
- Google Pixel 2
- LG G3
- LG Nexus 5
- Motorola Nexus 6
- HTC Desire 10 Lifestyle
How hackers can spy on device owners?
All smartphones carry a baseband processor (cellular modem) and an application processor (AP).
AP is a general-purpose processor whereas the baseband processor contains the implementation of the radio-related functionality for cellular connectivity.
The Application processor can issue [AT]ention commands to interact with the baseband processor for performing different cellular network operations.
While smartphone apps and other parts of the device are restricted from sending AT commands, researchers noted that many Android smartphones allow USB and Bluetooth accessories access to the baseband.
So, bad actors can use these accessories to send AT commands. Researchers discovered over 14 problematic AT commands that can be used to trick the Android device into leaking sensitive information.
The security researchers Syed Rafiul Hussain and his colleagues Imtiaz Karim, Omar Chowdhury will disclose their findings next month at a Security conference.
Samsung and other OEMs responded
When TechCrunch asked for comments, Google said that the problems shouldn’t arise in the Pixel devices owing to the latest security patches.
Meanwhile, Samsung has decided to roll out a security patch for the discussed devices. Huawei did not comment on the vulnerabilities.
AT commands have become a hotspot for hacking Android smartphones. Back in August, a research disclosed that millions of Android devices are susceptible to hacks from simple AT commands.