Topic: AT&T Android phone potential exploit

So, as some of you know, AT&T has that "AT&T Wifi Hotspot" crap at their stores. However, how many of you with an Android phone with AT&T carrier have noticed you can't delete the "attwifi" network entry from the Wifi section of Settings? If the AT&T Wifi app is enabled, your phone will automatically connect to said network and transmit enough data to have the ability to make calls from anywhere look like it came from said phone. I think we can find a way to use this to create a "call botnet" to call and send SMS/MMS and make it look like it came from a victimized phone! I have no idea how this could be done, as the phone requires the AP to send a certificate verifying its legitimacy before it'll auto-connect and send the info we'd need, but we might be able to find a way to fake the certificate, so who knows? I'm just putting this out there.

I like to examine and theorize about everything, from Amazon's <quote> impenetrable </quote> ultravisor to autorun viruses (virii?) being technology's version of an STD (Slot Transmitted Disease).
I dabble in Python 2.x and non-stereotypical BATCH (x>50 lines). I also fuck up VMs from time to time.

┬──┬ ︵ /(.□. \)

Thumbs up Thumbs down

Re: AT&T Android phone potential exploit

Yeniaul wrote:

So, as some of you know, AT&T has that "AT&T Wifi Hotspot" crap at their stores. However, how many of you with an Android phone with AT&T carrier have noticed you can't delete the "attwifi" network entry from the Wifi section of Settings? If the AT&T Wifi app is enabled, your phone will automatically connect to said network and transmit enough data to have the ability to make calls from anywhere look like it came from said phone. I think we can find a way to use this to create a "call botnet" to call and send SMS/MMS and make it look like it came from a victimized phone! I have no idea how this could be done, as the phone requires the AP to send a certificate verifying its legitimacy before it'll auto-connect and send the info we'd need, but we might be able to find a way to fake the certificate, so who knows? I'm just putting this out there.

Very interesting concept. People should ALWAYS be careful when connecting to wifi hotspots. Ideally, they should only connect to those made by their friends and not ones made by people they have never met before, no matter how trustworthy the source. We shall have to look into this and see if it develops into anything. Perhaps Android phone manufacturers should warn users when they are connecting to a open wifi network?

I like to screw up virtual machines
I enjoy looking at malware.
Hey look, a squirrel!

Thumbs up Thumbs down

Re: AT&T Android phone potential exploit

"Perhaps Android phone manufacturers should warn users when they are connecting to a open wifi network?"
If it's their network, the devices should be secure.
...but is it their network?
NOPE. I tested with a router I had stashed in my closet. All you have to do is send the ASCII text "ATTNet" followed by 26 null bytes as data to the device when it's time to send the certificate, then the call botnet is up for the making. This works... about 36% of the time on average, with variation across other AT&T devices. I'd like a more reliable way to craft the certificate, but it's good enough for a PoC if anyone wants to do one.

I like to examine and theorize about everything, from Amazon's <quote> impenetrable </quote> ultravisor to autorun viruses (virii?) being technology's version of an STD (Slot Transmitted Disease).
I dabble in Python 2.x and non-stereotypical BATCH (x>50 lines). I also fuck up VMs from time to time.

┬──┬ ︵ /(.□. \)

Thumbs up Thumbs down