Saturday, October 4, 2008

Sending AT commands to mobile phones

The execution of AT commands is one of the main goals in hypothetical attacks to mobile phones. AT commands are a set of instructions that allow remote configuration and operation in a GSM device, such as mobile phones. Like a "remote shell". However, not all the AT commands are always implemented by manufacturers in their devices. I divide them in 3 groups:
  • Basic operations: voice and data calls, set call divert, manufacturer info, model info, IMEI, battery status, signal status.
  • Address book operations: read, add and delete contacts from the address book and also get the last dialed/missed/received calls list.
  • SMS operations: list, read, write, send and delete SMS messages.
Each of these groups may or may not be implemented by manufacturers. Usually, the basic operations group is.

AT commands can be sent to a mobile phone through the Dial Up Networking Bluetooth service. A link to that service requires authentication and authorization, so both devices must be paired up and the phone user must have accepted a connection attempt from the box.

In order to pair Ubuntu with any other Bluetooth device, the /etc/bluetooth/hcid.conf file must be configured properly. The standard configuration in Ubuntu works fine:

# HCI daemon configuration file.

# HCId options
options {
# Automatically initialize new devices
autoinit yes;

# Security Manager mode
# none - Security manager disabled
# auto - Use local PIN for incoming connections
# user - Always ask user for a PIN
security user;

# Pairing mode
# none - Pairing disabled
# multi - Allow pairing with already paired devices
# once - Pair once and deny successive attempts
pairing multi;

# Default PIN code for incoming connections
passkey "1234";

# Default settings for HCI devices
device {
# Local device name
# %d - device id
# %h - host name
name "%h-%d";

# Local device class
class 0x000100;

# Default packet type
#pkt_type DH1,DM1,HV1;

# Inquiry and Page scan
iscan enable; pscan enable;
discovto 0;

# Default link mode
# none - no specific policy
# accept - always accept incoming connections
# master - become master on incoming connections,
# deny role switch on outgoing connections
lm accept;

# Default link policy
# none - no specific policy
# rswitch - allow role switch
# hold - allow hold mode
# sniff - allow sniff mode
# park - allow park mode
lp rswitch,hold,sniff,park;

Using this configuration, the system will prompt an applet asking the user to confirm the PIN when the pairing process takes place.
This is because the security user; option tells Ubuntu to interact with the gnome desktop environment. If security auto; option is set, then Ubuntu will execute the line passkey "1234";. This action can be changed by other PIN helpers like the old bluepin Python script, just by installing it and including its path pin_helper /???/bluepin; instead.

How to send AT commands to a mobile phone

First, you need to discover the mobile phone and get the channel associated to the Dial Up Networking service.

After, you can connect with rfcomm connect 0 BD_ADDR DUN_channel.

The link to Dial Up Networking service will require authentication and authorization between the mobile phone and the box.

If both devices haven't been paired up yet, the pairing process (authentication) will start. The phone will require the user to insert a PIN, that PIN must be confirmed in Ubuntu and the system will display that both devices are paired.
If the Ubuntu box is not included in the list of trusted-devices in the mobile phone (a previous connection is needed for that), it will require the user to accept the connection (authorization) to the Bluetooth service.

Now the RFCOMM link has been successfully established, AT commands can be sent to the phone using the cu tool, included in the Taylor UUCP package.

No comments: