Popular Android devices can be tricked into spying on their owners via dodgy charging cables and Bluetooth speakers, according to researchers at two US universities.
Hackers can snoop on users by exploiting a weakness that gives USB and Bluetooth accessories access to the phone’s underlying software.
Related: Best smartphone
These devices can be fooled into giving up unique identifiers such as IMEI and IMSI numbers, intercepting phone calls, forwarding calls to other phones and blocking phone calls and internet access altogether.
Attackers can do this by taking advantage of a flaw in the baseband firmware, which some Android phones give USB and Bluetooth accessories access to.
The researchers developed a tool to seek out commands and discovered “4 invalid AT command grammars over Bluetooth and 13 over USB with implications ranging from DoS, downgrade of cellular protocol version (e.g., from 4G to 3G/2G) to severe privacy leaks” which hackers could potentially access via budget Bluetooth connectors or malicious USB charging stations.
Related: Best Android phones
Luckily, the vulnerability doesn’t seem to affect any phones launched in the last year. The newest in the list are the Pixel 2 and the Galaxy S8 Plus, both of which were released in 2017. However, they’re both very big-name devices.
According to the report, Samsung has already begun to roll out patches to fix the error, while Google has said that “the issues reported are either in compliance with the Bluetooth specification or do not reproduce on Pixel devices with up to date security patches”.