How Patched Android Chip Flaw Could Have Enabled SpyingCheck Point Report Describes Flaw's Technical Details
A severe vulnerability in a system on certain Qualcomm chips, which has been patched, potentially could have enabled attackers to remotely control Android smartphones, access users' text messages and call histories and listen in on conversations, according to a new report from researchers at security company Check Point Software Technologies.
A spokesperson from Qualcomm tells Information Security Media Group that it provided a patch to device manufacturers in December 2020 (see: Snapdragon Chip Flaws Could Facilitate Mass Android Spying).
"We have no evidence the vulnerability is being exploited," the spokesperson says. "For this vulnerability to even begin to work, a device would need to be severely compromised to start with, which would be a bigger problem."
Commenting on the newly released report, Slava Makkaveev, security researcher at Check Point, says: "We decided not to publish the full technical details until the mobile vendors affected found a comprehensive solution to mitigate the possible risks described. Check Point worked with relevant government officials and mobile vendors to assist them in making handsets safer."
Analyzing the Flaw
Check Point found a critical vulnerability tracked as CVE-2020-11292 in Qualcomm's latest 5G-capable Mobile Station Modem, or MSM, systems on chips.
If exploited, the vulnerability could give attackers access to use the Android OS as an entry point to inject malicious and invisible code into phones, thereby granting them access to SMS messages and audio of phone conversations, Check Point says.
Qualcomm manufactures chips that are used in more than 40% of smartphones, including devices shipped by Samsung, Google, LG, OnePlus, Xiaomi and others, according to Check Point.
Qualcomm MSM is an ongoing series of a 2G/3G/4G/5G-capable systems on chips.
"MSM has been a popular target for security research because hackers want to find a way to attack a mobile device remotely just by sending it an SMS or crafted radio packet, according to the Check Point report. "But 3rd Generation Partnership Project protocols are not the only entry point into the modem. Android also has an ability to communicate with the modem processor through the Qualcomm MSM Interface."
QMI is a proprietary protocol that enables communication between the software components in the MSM system and peripheral subsystems on the device, such as cameras and fingerprint scanners.
The report says QMI is present on approximately 30% of all mobile phones in the world.
Check Point researchers found that if a security researcher wanted to implement a modem debugger to explore the latest 5G code, the easiest way to do that would be to exploit MSM data services through QMI - and a cybercriminal could do the same.
"During our investigation, we discovered a vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor," the researchers note. "This means an attacker could have used this vulnerability to inject malicious code into the modem from Android, giving them access to the device user’s call history and SMS, as well as the ability to listen to the device user’s conversations.”
The vulnerability also could have potentially been exploited to unlock a device’s SIM, Check Point says.
Adam Brown, security solutions manager at the security firm Synopsys, says it's fortunate that researchers identified this vulnerability before cyberattackers exploited it.
"The primary goal of this research was to focus on code where most errors occur - a fuzz testing tool was used to do that," Brown says. "It shows how effective targeted fuzzing in the right hands can be and should highlight how important fuzzing is as part of a security testing process."
Shachar Menashe, vice president of security at Vdoo, which sells a platform for connected devices, says the report on the Qualcomm chip flaw highlights the importance of thorough security vetting before and after technology deployment.
"In this case, it seems we are dealing with a privilege escalation vulnerability, which means it lets potential attackers run code on the Qualcomm modem if you already have high privileges on the Android application layer," Menashe says.
"Automated analysis can help identify zero-day vulnerabilities and configuration risks, even in closed-source components," he adds. "Manufacturers need to trust that their third-party components are secure, especially when these systems are used in nearly 40% of the mobile phones sold today.”