We often take for granted the fact that our smartphones can have so many vulnerabilities to hackers who want to cause mischief and even steal our information (and sometimes, money). A research team from the University of Florida have uncovered a new weakness for eight devices that comes from plugging in your phone into something as seemingly innocuous as a charging station. It acts like your phone has a “ghost user” and is able to manipulate your device without actually touching it.
The researchers were able to hack into eight devices, including the Google Nexus 5, LG G4, and the Samsung Galaxy S8+. They were able to do things like causing hidden menus to pop up and even to making the phones go on factory reset. They posted a video showing how they were able to manipulate the touch screen of an LG phone through commands, even AT commands that can bypass the lock screen.
They presented the study at the 2018 USENIX Security Symposium and they explained how they were able to send the AT commands through a USB cable. The vulnerability can manifest itself in places where you plug in your phone to recharge, like an airport kiosk or a charging station in a coffee shop. A lot of companies still use AT commands to test devices during the development phase. But it looks like it may also cause some hackers to get into devices that they can access remotely.
The research team from UF Herbert Wertheim College of Engineering alerted the OEMS and sent them the code that enabled them to exploit the vulnerabilities. Both LG and Samsung were able to develop and release a security patch last July to protect their users from these lock and touchscreen issues. The team plans to investigate and document more devices and manufacturers that may be at risk.
So how can you protect your phone from such attacks? First of all you need to update your phone every time your OEM releases a security patch, even though you don’t understand exactly what that is for. Second, you need to be aware that connecting your phone to an unknown computer or charging device is risky so err on the side of caution.