Millions of mobile devices from eleven smartphone vendors are vulnerable to attacks carried out using AT commands, a team of security researchers has discovered.

AT (ATtention) commands, or the Hayes command set, is a collection of short-string commands developed in the early 1980s that were designed to be transmitted via phone lines and control modems. Different AT command strings can be merged together to tell a modem to dial, hang up, or change connection parameters.

Unknown to the common user is that modern smartphones include a basic modem component inside them, which allows the smartphone to connect to the Internet via its telephony function, and more.

While international telecommunications bodies have standardized basic AT commands, dictating a list that all smartphones must support, vendors have also added custom AT command sets to their own devices —commands which can control some pretty dangerous phone features such as the touchscreen interface, the device's camera, and more.

Researchers analyze thousands of Android firmware images

In massive and groundbreaking research, a team of eleven scientists from the University of Florida, Stony Brook University, and Samsung Research America, have looked into what types of AT commands are currently supported on modern Android devices.

The research team analyzed over 2,000 Android firmware images from eleven Android OEMs such as ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE.

They say they discovered that these devices support over 3,500 different types of AT commands, some of which grant access to very dangerous functions.

Some phones expose AT commands via their USB interface

These AT commands are all exposed via the phone's USB interface, meaning an attacker would have to either gain access to a user's device, or hide a malicious component inside USB docks, chargers, or charging stations.

Once an attacker is connected via the USB to a target's phone, he can use one of the phone's secret AT commands to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, or even inject touch events solely through the use of AT commands.

In the happiest cases, these AT commands are only available only when the phone's USB debugging function has been enabled, but researchers said they found many devices where attackers had direct access to AT commands, even if the phone had entered a locked state.

"In many cases, these commands are completely undocumented," said Kevin Butler, an associate professor in the University of Florida Herbert Wertheim College of Engineering and a member of the research team, revealing that an OEM's documentation doesn't even mention their presence.

The two videos below provide a simple explanation for AT-based attacks, but also a demo attack against an LG smartphone found to expose many internal phone functions via AT commands.

The biggest danger, as shown in the videos above, is an attacker's ability to mimic touchscreen taps, allowing an intruder to take full control over a device and install malicious apps for further surveillance.

"It's essentially like having a ghost user on your phone," Butler said.

Phone vendors have been notified

The research team says it notified all vendors which they found to be exposing AT commands via their phones' USB interface. They also published a website containing a database of phone models and firmware versions that they found exposing the AT interface.

Researchers only tested access to the AT command set on Android devices via the USB interface. They also plan on testing Apple devices, but also if AT commands are available via remote access vectors such as a phone's WiFi or Bluetooth connections.

The team also published a Shell script that they used during their research to examine Android firmware and find strings containing AT commands. The script is available on GitHub.

This is not the first work of its kind. It's been known for many years that Android devices are vulnerable to attacks carried out via AT commands [1, 2, 3], but this research is the most comprehensive to date.

More details about this research are available in a research paper entitled "ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem." Researchers presented their white paper at the Usenix Security Symposium held in Baltimore, USA in mid-August.