Global Impact

Smartphone security risk compared to “having a ghost user on your phone”

Millions of smartphones likely have vulnerabilities that could allow hackers to easily take control of phones and extract private information without users ever knowing, new research shows.

What’s more, the hack can happen when a user does something as simple as plug a phone into an airport charging station.

“It's not just an unknown computer that's a problem, but anything that you plug your USB cable into: a charging station, a kiosk ... For all we know there could be something malicious on the other side injecting these commands to your phone,” said Kevin Butler, an associate professor in the University of Florida Herbert Wertheim College of Engineering and a leader of the research team that uncovered the weaknesses.

Researchers hacked eight devices, including the Google Nexus 5, LG G4 and Samsung Galaxy S8 Plus. The device responses ranged from hidden menus popping up to phones being factory reset.

In a video demonstrating commands being sent to an LG phone, Grant Hernandez, a UF computer engineering doctoral student, explains how the touch screen can be manipulated without actually touching it. Also shown in the video, and possibly more worrisome, is the ability of AT commands to bypass the lock screen.

“It’s essentially like having a ghost user on your phone,” Butler said.

Butler and his team alerted the vendors and supplied the code used to exploit the vulnerabilities. LG and Samsung responded promptly to the findings by developing a security patch, released in July, to address the lock and touch screen issue, with acknowledgements going out to Butler. 

But millions of other smartphones likely remain at risk, Butler said. He and his team plan to investigate more devices and manufacturers like Apple, whose devices are known to also respond to AT commands.

In their study, presented Aug. 15 at the 2018 USENIX Security Symposium in Baltimore, the team sent the phones instructions called AT commands through a USB cable. Those commands, composed of the letters “A” and “T” followed by a short string of characters, were originally developed in the 1980s to control dial-up modems. Today, these commands are still used by smartphones whenever they make calls or send text messages.

Over time, phone manufacturers have created thousands of custom AT commands to tell phones to perform other tasks like taking pictures. That could come in handy during development to test devices, Butler said, but due to the nature of corporate practice, the full capability and potential security risk posed by those commands has not been well documented.

Dave Tian, a doctoral student in Butler’s lab, began studying the effects of AT commands on Samsung devices while interning at the company. When he returned to UF after his internship, he did a deeper dive.

To study AT commands comprehensively, Butler and his team collected commands from 11 different vendors. After downloading over 2,000 files from manufacturer and third-party websites, the team wrote code to automatically extract commands from those files and created a database that included 3,500 unique commands.

“This is by far the largest collection of AT commands as far as we know,” Butler said.

At first it was unclear to the researchers what commands would do or if commands made by one manufacturer could work on devices from other manufacturers.

“In many cases, these commands are completely undocumented. The next step was to actually take our big list of commands and find out what would happen if we ran them on real devices,” Butler said.

Said Hernandez: “By sending one command, despite there being a password enabled, you could just skip straight to the home screen. It was quite shocking because this was all done with little text commands we were sending through a USB cable.”

Butler urged users to update their phones with security patches as soon as they are available and be aware of where devices are being plugged in, as connecting to an unknown computer could expose the device to an attack.

Jonathan Griffin Author
Bernard Brzezinski Photography
August 22, 2018