AT commands, originally designed in the early 80s for controlling modems, are still in use in most modern smartphones to support telephony functions. The role of AT commands in these devices has vastly expanded through vendor-specific customizations, yet the extent of their functionality is unclear and poorly documented. In this work, we systematically retrieved and extracted 3,500 AT commands from over 2,000 Android smartphone firmware images across 11 vendors. We methodically tested our corpus of AT commands against eight Android devices from four different vendors through their USB interface and characterize the powerful functionality exposed, including the ability to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, and inject touch events solely through the use of AT commands. We demonstrated that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices.

Research Artifacts

To spur further research into AT commands, we are releasing a web interface to the database of AT commands discovered. For more details on the process of extracting the commands, view the paper. If you are interested in some of the code used during this project, check out our Github. Finally, to see a demonstration of an AT command controlling a phone, view the video.

View Database View Code Read Paper

Reference

If your research benefited from our work, please use the following BibTeX to cite our paper:

@inproceedings{tian_attention_18, author = {Dave Tian and Grant Hernandez and Joseph Choi and Vanessa Frost and Christie Ruales and Kevin Butler and Patrick Traynor and Hayawardh Vijayakumar and Lee Harrison and Amir Rahmati and Mike Grace}, title = {{ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem}}, booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)}, year = {2018}, isbn = {978-1-931971-232}, address = {Baltimore, MD}, pages = {351--366}, url = {https://www.usenix.org/conference/usenixsecurity18/presentation/tian}, publisher = {{USENIX} Association}, }

FAQ

What are AT commands?

AT (ATtention) commands were first developed by Dennis Hayes in 1981 for controlling modems. These commands, when accepted by a modem in data mode (without needing a separate port), allow: selection of communication protocol, setting of line speed, dialing numbers, hanging up calls, etc. Since their inception in the 1980s, AT commands have become the preferred means of controlling modems, with standardized AT command sets being issued by authorities such as the International Telephone Union (ITU-T) and the European Telecommunications Standards Institute (ETSI).

What about AT commands on (Android) smartphones?

Smartphones contain cellular baseband processors that provide modem functionality, allowing these devices to communicate with the cellular network, and accept AT commands for configuration. Beyond just standardized modem commands, we found that some Android device manufacturers will add custom/proprietary AT commands; these extended AT commands often do not invoke telephony-related functionality but instead access other resources on the device.

How does this affect me?

On some Android smartphones, an AT command interface is exposed over USB without USB debugging enabled. Unfortunately, some devices do not authenticate this interface or allow it to be used from the lockscreen. We found that in some cases the "charge-only" USB mode may also fail to block AT commands. This means unsuspecting users who plug in their phones to a USB port for charging or data transfer may have their devices locally compromised by a (possibly pre-recorded) sequence of AT commands. Furthermore, many commands, such as those for ex-filtrating sensitive data, have no visible side-effects.

Have you found any vulnerabilities?

Yes. We have notified each vendor of any relevant findings and have worked with their security teams to remediate the issues. For LG we were assigned the vulnerability number LVE-SMP-180001.

Did you find any remotely exploitable vulnerabilities?

No. All of our investigation centered on the device's USB connection. We did not investigate remote AT attack surface, but the first places we would look would be the BlueTooth interface and the baseband.

Do you have a list of devices that this affects?

We do in our full paper linked above. While we could not test every device we tried to study more at once than previous work.

But what about X?

If you have further questions not answered by this page or by our paper, please reach out to the authors on Twitter (Grant Hernandez, Dave Tian, Kevin Butler) or via the email in the page footer.

Press Coverage

Acknowledgments

We'd like to thank Samsung Research America for kickstarting the initial research during Dave Tian's internship and for lending us Android devices for testing.



This work was supported by the National Science Foundation under grants CNS-1540217, CNS-1526718, CNS-1564140, and CNS-1617474.