It seems there is no end to hacker efforts to destroy the technology that we trust. The news regarding the latest hacks and scams can seem unending.
In the latest news, security researchers have discovered that hackers are exploiting a weakness that tricks certain Android phones into supplying access to underlying baseband software, normally reserved for accessories, allowing the phones to be used to spy on their owners.
According to research, hackers gain that access to unique identifiers, such as the phones’ IMEI and IMSI numbers, through the software that allows the phone’s modem to communicate with the cell network to make calls or connect to the Internet.
Because the baseband is so important to the phone’s functions, it’s often not available to the rest of the device and has command blacklisting that prevents commands that aren’t critical from running.
But at least 10 different Android phones – including Google Pixel 2, Huawei Nexus 6P, and Samsung Galaxy S8+ – allow Bluetooth and USB accessories to have access to the baseband. Attackers can exploit accessories like headphones to run the commands.
“The impact of these attacks ranges from sensitive user information exposure to complete service disruption,” reported co-authors of the research Syed Rafiul Hussain and Imtiaz Karim in an email to TechCrunch.
Baseband firmware accepts AT commands that control cellular functions on devices. Hussain, Karim, and the other researchers developed ATFuzzer, a tool that searches for AT commands that could prove to become a problem. This tool found 14 commands that could trick Android phones into giving up sensitive data from the device and manipulate phone calls.
Not all of the devices are vulnerable to the same commands. Some were vulnerable to spying on the user or listening in on phone calls, while others were vulnerable to commands that could block phone calls or Internet access.
“The attacks can be easily carried out by an adversary with cheap Bluetooth connectors or by setting up a malicious USB charging station,” said the researchers, meaning the phones are vulnerable when they’re connected to a computer or using a Bluetooth device.
“If your smartphone is connected with a headphone or any other Bluetooth device, the attacker can first exploit the inherent vulnerabilities of the Bluetooth connection and then inject those malformed AT commands,” reported Hussain and Karim.
It’s not known how Huawei plans to address this, but Samsung is working on patches to cover this vulnerability, and Google said, “The issues reported are either in compliance with the Bluetooth specification or do not reproduce on Pixel devices with up-to-date security patches.”
What this means is that, as always, it’s important to keep up with OS updates. Often updates contain security patches for known issues, and by not updating, you are missing out on vital security fixes.
Is your Android phone up to date? Let us know how you think this Android security hack could affect you.