Fixing a critical Qualcomm chip bug takes place on Android devices
Manufacturers of high-end Android devices are reacting to the discovery of a Qualcomm chip bug that researchers say could be exploited to partially hide about a third of the world’s smartphones.
The vulnerability discovered by researchers at the security company Check Point Research lies in Qualcomm’s Mobile Station Modem, a chip system that offers voice, SMS and high-resolution recording functions, mainly on high-end Google devices. Samsung, LG, Xiaomi and OnePlus. Phone manufacturers can customize the chips to perform additional tasks such as handling SIM unlock requests. According to Counterpoint Research, the chips run in 31 percent of the world’s smartphones.
The heap overflow found by the researchers can be exploited by a malicious app installed on the phone and from there the app can inject malicious code into the MSM, Check Point researchers said in a blog post published Thursday. The almost undetectable code can then potentially use some of the most important functions of a phone.
“What this means is that an attacker could use this vulnerability to insert malicious code from Android into the modem, giving it access to the device user’s call history and SMS, as well as the ability to eavesdrop on the device user’s conversations,” the researchers wrote. “A hacker could also exploit the vulnerability to unlock the device’s SIM card, thereby breaking the restrictions imposed by the service providers.”
Corrections take time
Check Point spokesman Ekram Ahmed told me that Qualcomm had released a patch and reported the bug to all customers using the chip. Because of the complications involved, it is not yet clear which vulnerable Android devices have been fixed and which have not.
“In our experience, these fixes take time to implement and some phones may still be exposed to the threat,” he wrote in an email. “Accordingly, we decided not to share all of the technical details as this would give hackers a roadmap for orchestrating an exploitation.”
In a statement, Qualcomm officials wrote:
Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend Check Point’s security researchers for their use of industry-standard coordinated disclosure practices. Qualcomm Technologies made corrections available to OEMs back in December 2020. We encourage end users to update their devices as soon as patches are available.
In the background, a spokesman said the vulnerability will also be featured in the June Android public bulletin. He recommended that users contact the phone manufacturers to see the status of the fixes for their devices.
The vulnerability is being tracked as CVE-2020-11292. Check Point discovered it through a process known as fuzzing, which involved exposing the chip system to unusual input to find bugs in the firmware. Thursday’s research provides an in-depth look at the insides of the chip system and the general outline that was used to exploit the vulnerability.
The research is a reminder that phones and other modern computing devices are actually a collection of dozens, if not hundreds, of interconnected computing devices. While the successful infection of individual chips usually requires hacking resources at the national level, an attacker with this level of performance can execute malware that cannot be detected without spending time and money.
“We believe this research is a potential leap into the very popular area of mobile chip research,” wrote Check Point researchers. “We hope our results will pave the way for much easier verification of modem code by security researchers, a task that is notoriously difficult to do today.”
Post updated to add comment from Qualcomm.