Half a dozen (and possibly even more) Samsung Galaxy phones can be made to place phone calls or send text messages even when they are locked, thanks to exposed USB modems.
Researchers Roberto Paleari and Aristide Fattori who, a few months back, demonstrated the lock screen bypass attack on a Samsung Galaxy S6 phone have now shared more technical details about it, as well as provided a PoC tool for mounting it.
— Roberto Paleari (@rpaleari) December 10, 2015
“In a nutshell, when connected to a USB master (e.g., a normal laptop), Samsung Android phones expose (or can be forced to expose) a serial interface which can be exploited to communicate with the USB modem,” they explained.
“This communication channel is active even when both USB tethering and USB debugging (i.e., ADB) are disabled, and can be accessed even when the device is locked. An attacker who gains physical access to a (possibly locked) device can thus use this interface to send arbitrary AT commands to the modem.”
Not all commands will work because not all are delivered to the baseband modem, and most of them won’t work on newer phones and firmware versions as Samsung introduced a blacklist-based mechanism to filter out dangerous ones.
But on older phones attackers could make them place phone calls or send SMS messages – something that usually can’t be done while the phone is locked.
Also, on newer firmware versions the attack won’t work in the default configuration, but the researchers developed a tool, dubbed “usbswitcher,” that switches any attached Samsung device to a secondary USB configuration, which exposes the modem.