Researchers find critical vulnerability in widely-used smartphone chips

A vulnerability affecting one of the world’s largest chipmakers has been discovered by analysts at cybersecurity firm Check Point. 

The critical vulnerability – CVE-2022-20210 – has a CVSS score of 9.4 and affects UNISOC's smartphone chipset. The company – previously known as Spreadtrum – produces budget chipsets that power 2/3/4/5G devices ranging from smartphones to smart TVs. 

Due to the low prices of their chips, the Shanghai-based company has become very popular across Africa and Asia, so much so that by the end of 2021, UNISOC was firmly in fourth place among the largest smartphone chip manufacturers in the world – after MediaTek, Qualcomm and Apple – with 11% of the global market.

Check Point said the vulnerability is in the modem firmware and affects 4G and 5G UNISOC chipsets. UNISOC did not respond to requests for comment, but Check Point said the company acknowledged the vulnerability. 

Slava Makkaveev, security researcher at Check Point, told The Record that the company was able to reverse-engineer and investigate the UNISOC modem for vulnerabilities, noting that Google is planning to patch the issue in the upcoming Android Security Bulletin. UNISOC has also issued a patch for the problem. 

“An attacker could have used a radio station to send a malformed packet that would reset the modem, depriving the user of the possibility of communication. Left unpatched, cellular communication can be blocked by an attacker,” Makkaveev said. 

“The vulnerability is in the modem firmware, not in the Android OS itself. There is nothing for Android users to do right now, though we strongly recommend applying the patch that will be released by Google in their upcoming Android Security Bulletin."

Researchers said the vulnerability was discovered while they scanned NAS message handlers, noting that it can be used to disrupt the device's radio communication through a malformed packet. 

“A hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location,” the researchers explained in a report on the issue.

The company’s report said it conducted studies using the Motorola Moto G20 with the Android January 2022 update as a test device.

In addition to providing a detailed breakdown of how CVE-2022-20210 works, the researchers said they found “several out-of-bound read issues when the NAS handler functions read data from outside the Non-Access Stratum (NAS) message.”