An estimated 30% of all smartphones vulnerable to new Qualcomm bug
Catalin Cimpanu May 6, 2021

An estimated 30% of all smartphones vulnerable to new Qualcomm bug

An estimated 30% of all smartphones vulnerable to new Qualcomm bug

Around a third of all smartphones in the world are believed to be affected by a new vulnerability in a Qualcomm modem component that can grant attackers access to the device’s call and SMS history and even audio conversations.

The vulnerability—tracked as CVE-2020-11292—resides in the Qualcomm mobile station modem (MSM), a chip that allows devices to connect to mobile networks.

First designed in the early 90s, the chip has been updated across the years to support 2G, 3G, 4G, and 5G cellular communications and has slowly become one of the world’s most ubiquitous technologies, especially with smartphone vendors.

Devices that use Qualcomm MSM chips today include high-end smartphone models sold by Google, Samsung, LG, Xiaomi, and One Plus, just to name a few.

Qualcomm bug impacts MSM QMI protocol

But in a report published today by Israeli security firm Check Point, the company said its researchers found a vulnerability in Qualcomm MSM Interface (QMI), the protocol that allows the chip to communicate with the smartphone’s operating system.

Researches said that malformed Type-Length-Value (TLV) packets received by the MSM component via the QMI interface could trigger a memory corruption (buffer overflow) that can allow attackers to run their own code.

Check Point researchers explain:

During our investigation, we discovered a vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor. This means an attacker could have used this vulnerability to inject malicious code into the modem from Android, giving them access to the device user’s call history and SMS, as well as the ability to listen to the device user’s conversations. A hacker can also exploit the vulnerability to unlock the device’s SIM, thereby overcoming the limitations imposed by service providers on it.

Check Point says that exploiting the vulnerability can’t be done by hiding the malformed TLV packets inside third-party apps running on the OS, especially on Android, where the MSM component is protected by SELinux security policies.

However, researchers say that the TLV packet can be hidden inside radio (cellular) communications or multimedia content sent to the device, which, when unpacked, can reach the vulnerable QMI interface.

Patch status unknown

Previous market surveys have found that while around 40% of all of today’s smartphones use a Qualcomm MSM chip, only around 30% have the QMI interface present and are vulnerable to attacks.

In an email this week, Check Point told The Record that they notified Qualcomm of the vulnerability last year and that the vendor released fixes for the MSM firmware to downstream phone makers.

“The mobile vendors themselves must apply the fix,” a Check Point spokesperson told The Record. “Qualcomm says it has notified all Android vendors. We do not know who or who did not patch.”

A Qualcomm spokesperson told The Record that the company had delivered fixes to smartphone vendors last December, but it also did not know how many applied the patches.

This is not the first time that security researchers have found security issues in Qualcomm chips. In August 2020, the same company, Check Point, found more than 400 security flaws in Digital Signal Processor chipsets.

In August 2019, Chinese security firm Tencent Blade discovered QualPwn, two vulnerabilities that could allow threat actors to abuse Qualcomm chips and compromise the Android OS kernel in over-the-air attacks.

In April 2019, security researchers found a bug [PDF] that could allow attackers to retrieve private data and encryption keys that are stored in a secure area of Qualcomm chipsets known as the Qualcomm Secure Execution Environment (QSEE).

Article updated with Qualcomm comment.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.