Makers of high-end Android devices are responding to the discovery of a Qualcomm chip flaw that researchers say could be exploited to partially backdoor about a third of the world’s smartphones.
The vulnerability, discovered by researchers from security firm Check Point Research, resides in Qualcomm’s Mobile Station Modem, a system of chips that provides capabilities for things like voice, SMS, and high-definition recording, mostly on higher-end devices made by Google, Samsung, LG, Xiaomi, and OnePlus. Phone-makers can customize the chips so they do additional things like handle SIM unlock requests. The chips run in 31 percent of the world’s smartphones, according to figures from Counterpoint Research.
The heap overflow the researchers found can be exploited by a malicious app installed on the phone, and from there the app can plant malicious code inside the MSM, Check Point researchers said in a blog post published Thursday. The nearly undetectable code might then be able to tap into some of a phone’s most vital functions.
“This means an attacker could have used this vulnerability to inject malicious code into the modem from Android, giving them access to the device user’s call history and SMS, as well as the ability to listen to the device user’s conversations,” the researchers wrote. “A hacker can also exploit the vulnerability to unlock the device’s SIM, thereby overcoming the limitations imposed by service providers on it.”
Fixes take time
Check Point spokesman Ekram Ahmed told me that Qualcomm has released a patch and disclosed the bug to all customers who use the chip. Because of the intricacies involved, it’s not yet clear which vulnerable Android devices are fixed and which ones aren’t.
“From our experience, the implementation of these fixes takes time, so some of the phones may still be prone to the threat,” he wrote in an email. “Accordingly, we decided not to share all the technical details, as it would give hackers a roadmap on how to orchestrate an exploitation.”
In a statement, Qualcomm officials wrote:
Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Check Point for using industry-standard coordinated disclosure practices. Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available.
On background, a spokesman said that the vulnerability will also be included in the public June Android bulletin. He recommended users contact phone manufacturers to find out the status of fixes for their device.
The vulnerability is tracked as CVE-2020-11292. Check Point discovered it by using a process known as fuzzing, which exposed the chip system to unusual inputs in an attempt to find bugs in the firmware. Thursday’s research provides a deep dive into the inner workings of the chip system and the general outline they used to exploit the vulnerability.
The research is a reminder that phones and other modern-day computing devices are actually a collection of dozens if not hundreds of interconnected computing devices. While successfully infecting individual chips typically requires nation-state-level hacking resources, the feat would allow an attacker to run malware that couldn’t be detected without time and money.
“We believe this research to be a potential leap in the very popular area of mobile chip research,” Check Point researchers wrote. “Our hope is that our findings will pave the way for a much easier inspection of the modem code by security researchers, a task that is notoriously hard to do today.”
Post updated to add comment from Qualcomm.