Check Point researchers discovered a security vulnerability in Qualcomm’s Mobile Station Modem (MSM) chips affecting nearly 40% of smartphones in the market. The security flaw affects even the newest flagship phones using Qualcomm chips manufactured by Google, Samsung, LG, Xiaomi, and One Plus. If exploited, the bug could allow hackers to inject malicious code and access text and audio conversations on Android phones.
Check Point discovered the vulnerability months after disclosing about 400 vulnerabilities affecting Qualcomm’s Snapdragon digital signal processor (DSP) in August 2020.
Security vulnerability in Qualcomm chips allows attackers to unlock SIM on Android phones
Check Point’s research found that the security vulnerability CVE-2020-11292 could allow hackers to exploit Qualcomm chips to access text messages and eavesdrop on conversations.
Threat actors could also exploit the vulnerability to unlock the subscriber identification module (SIM) and authenticate on the affected devices.
Vulnerable Qualcomm chips could also allow hackers to use the Android OS as the initial entry point to inject malicious code. This makes Android phones highly vulnerable to the MSM security flaw compared to other smartphones.
Additionally, they could use vulnerable Qualcomm chips to conceal malicious code and avoid detection by any mobile security solutions.
The cybersecurity firm notified Qualcomm of the security vulnerability in October 2020. The chipmaker validated the results and issued patches two months later in December 2020. Checkpoint also published the technical details of the vulnerability in a blog post dated May 26, 2021.
Qualcomm vulnerability affects even the latest 5G smartphones
Device manufacturers use Qualcomm chips to provide network connectivity for 2G/3G/4G/5G mobile devices. Android phones communicate with MSM Qualcomm chips through the Qualcomm MSM Interface (QMI).
QMI offers various services such as Wireless data service (WDS) and Device management service. OEMs can add services to QMI. For example, LG includes LGE resim service to handle SIM unlock requests in its T-Mobile Android phones.
A vulnerable MSM could therefore be used to exploit these services and bypass device security features such as authentication by malicious actors. A threat actor could accomplish this by exploiting the heap overflow security vulnerability in the QMI.
Additionally, Qualcomm real-time OS (QuRT), which manages the MSM, can be debugged, dumped, and rooted on Android phones. TrustZone is the only bulwark against potential exploitation of the QuRT on Android phones.
However, successful exploits have been carried against Qualcomm Trusted Execution Environment (QTEE), according to Check Point security researchers.
“In our research, we fuzzed MSM data services so we could find a way to patch QuRT on modern SoCs directly from Android,” the report authors wrote.
Qualcomm fixed another security vulnerability in 2020, affecting Snapdragon digital signal processor. The flaw could have allowed attackers to collect real-time microphone data, call recordings, photos, videos, and GPS and location data.
The chipmaker advised users to avoid downloading Android applications from third-party sources to avoid successful exploitation of vulnerable Qualcomm chips.
“Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end-users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”
Check Point security researcher Slava Makkaveev noted that the DSP processes personal information and was accessible for invocation from third-party applications. This permission exposed the component to potential exploitation by malicious actors who are interested in accessing personal information.
The research on Snapdragon DSP noted that attackers could exploit Qualcomm chips through Qualcomm’s Hexagon SDK. They could write instructions to crash, modify or execute malicious code through the skeleton libraries gluing Android phones to Qualcomm chips.
Need to ensure security of third-party components
“This newest security issue with Qualcomm highlights the importance of thorough security vetting pre and post-deployment,” says Shachar Menashe, VP Security at Vdoo. “In this case, it seems we are dealing with a privilege escalation vulnerability, which means it lets potential attackers run code on the Qualcomm modem if you already have high privileges on the Android application layer.”
Menashe says that his company Vdoo found a similar security vulnerability in the QCMAP component of the QMI. He noted that the QMI should further investigated for potentially more vulnerabilities.
“Automated analysis can help identify zero-day vulnerabilities and configuration risks, even in closed-source components,” Menashe added. “Manufacturers need to trust that their third-party components are secure, especially when these systems are used in nearly 40% of the mobile phones sold today.”