2015 Samsung Lock Bypass Exploit Details Revealed
In December of 2015 an exploit was revealed on Twitter that showed a Samsung Galaxy S6 lock screen being bypassed.
— Roberto Paleari (@rpaleari) December 10, 2015
Not much was revealed at the time other than the proof of concept. Now that the disclosure period has expired the details are making their way out to the public. The exploit was pushed to Github on Monday and reveal that it was discovered by the original posters Robetro Paleari and Aristide Fattori. When connecting to a USB device it was possible to send AT commands to the modem, even when USB debugging was disabled. From there it proceeded to allow phone calls and SMS messages to be initiated, even from a locked state. What was more concerning is that certain commands, such as AT+USBDEBUG, were able to turn on USB debugging on a device and could open it up to even more potential threats. The access was provided in Linux by the same mode that enables MTP – a secondary mode enabled communications access to the modem.
From one side this makes sense as older devices allowed to double as a modem – I remember using older devices like this to connect to the internet on a laptop even in the late 90s. But this also required the device to be on and actively selected for use as a modem. In addition the normal thinking of issuing serial commands to a modem would be that it would be processed by the modem only. In that train of thought it shouldn’t even be possible to have commands get back into the Android environment. This is why it seems unlikely Samsung intended this to work in a locked state but wasn’t certain at the time the exploit was discovered. The end of the notice updates the situation, indicating that Samsung has taken action on newer firmware releases to help block dangerous commands. If you’re curious on what devices and builds this was tested on, they are also located at the bottom of the notice.
Want to find out more? Check out the details on Github!