A new vulnerability affects Android smartphones and endangers hundreds of thousands of devices. The alarm was raised by researchers from Purdue University and Iowa University who published a research paper showing that some Bluetooth devices or USB accessories are able to steal relevant smartphone information such as the IMEI number , the code used to identify a mobile phone.
The technique discovered by the researchers allows a potential hacker an endless series of actions. All very dangerous and endangering users’ personal data . But not only. The devices can be used in turn to launch DDoS attacks (acronym of Distributed Denial of Service) able to KO a website or a company network. The search was carried out on a dozen Android smartphones with different processors: Qualcomm, HiSilicon (Kirin) and Samsung (Exynos) and all were vulnerable to attack, even if in a different way.
The researchers immediately alerted the producers and waited ninety days before publishing the report, to allow time to develop a patch. The only company that gave the researchers an answer was Samsung, which started developing a fix that will be published with the next updates.
How the vulnerability that affects Android smartphones works
Let’s start with the conclusion: the vulnerability discovered by the researchers is rather complicated to implement and requires a big investment in terms of time and hours by the hackers. But some attackers could still exploit it to steal your personal information.
As explained in the research paper, the vulnerability affects several Android smartphones , which exploit an operating system flaw to “enter” the device. To do this it is necessary to use Bluetooth devices or USB accessories designed specifically for this type of operation. Researchers have shown that using these devices it is possible to execute AT commands . These are commands that set features such as connection type, waiting times, and busy signal detection. Also, you can also get the IMEI number of the smartphone, take control of the mobile phone for perform DDoS attacks or remotely stop smartphone connectivity. A series of important activities in a person’s everyday life.
The list of Android smartphones affected by the vulnerability
The researchers tested ten devices from six different manufacturers . Here is the complete list:
Galaxy S8 +
Google Pixel 2
Huawei Nexus 6P
Motorola Nexus 6
Galaxy Note 2
LG Nexus 5
HTC Desire 10 Lifestyle
Huawei P8 Lite
These are fairly dated smartphones, but this does not mean that newer devices are not equally vulnerable to attack. As mentioned above, researchers have warned manufacturers that they are working to release a security patch as soon as possible. Samsung was the first to get to work to find a solution to the problem.