Posted on May 7, 2021 at 9:25 PM
Security researchers have been busy keeping watch over software and hardware vulnerabilities. However, a recent finding seems to have a certain level of intensity. It has been discovered that the popular Qualcomm SoCs modern, widely used by millions of people, may have a bug that may expose its users to high level threat.
According to Check Point researchers, the vulnerability could enable a malicious app to patch the software for Qualcomm’s MSM modem chips. This can give it access to record conversations or view text and call history.
The bug was discovered between the Qualcomm software and the debugger service, enabling it to circumvent security mechanisms.
Generally, security privileges are not granted to third-party apps to access the Qualcomm Modem Interface (QMI). However, exploitation could be on the way if critical aspects of the Android were infiltrated.
QMI is Qualcomm’s proprietary protocol that is utilized for communication between software components and other peripheral subsystems. According to the researchers, QMI utilizes Type-length-Value (TLV) format to execute their payload.
The researchers explained that the handler allocates 0x5B90 bytes on the modem heap to process the packet. This will then extract the number of calls into the allocated buffer from the payload.
Since the maximum number of calls is not checked, the 0xFF value in the number of calls field can be easily passed, which overwrites in the modem heap.
Vulnerability can allow threat actors to unlock SIM
The researchers also said the vulnerability can allow threat actors not only to get SMS and call records but also unlock a SIM card.
According to Check Point, the vulnerability affects 40% of smartphones from vendors including Xiaomi, Samsung, OnePlus, LG, and Google.
Although the attack method for the bug was described generally, the researchers hid specific details to prevent threat actors from easily duplicating the process for a real attack.
Presently there is no evidence that the vulnerability has been exploited in the wild.
Qualcomm already aware of the bug
The vulnerability in question has been existing since last year, as Qualcomm became aware in October. The company also admitted that it’s a high-level vulnerability, and informed Android manufacturers that make use of its modems. But as of press time, the bug remains unfixed, despite being noticed for several months.
However, both Google and Qualcomm say they are working on a sustainable solution to the issue. Qualcomm has responded to the researchers’ revelation about the vulnerability.
“Providing technologies that support robust security and privacy is a priority for Qualcomm,” the company said.
It added that some fixes to the vulnerability have already been made in December last year, and users are advised to apply the patches as soon as possible.
Qualcomm also stated that a lot of Android OEMs have also provided security updates towards the issue, and no evidence suggests that the vulnerability is being exploited. It also reiterated that there is a slight chance of hackers being able to take advantage of the vulnerability because it is difficult to exploit. However, to stay on the safe side, all users should hasten to apply available updates to give even the sophisticated actors no chance.
But CVE-2020-11292, the catalog number assigned to the vulnerability, is not available in any of Android’s updates published since last year. However, there is an expectation that the tech giant may include it in its next security bulletin in June.
Implementation of the vulnerability takes time
It’s not clear whether all the devices affected have been patched. However, one of Check Point’s representatives pointed out that implementation of these types of vulnerabilities takes time. As a result, many devices may still be in harm’s way.
For threat actors to successfully exploit the vulnerability, they would need to first compromise the device. Once this is done, they can carry out further attacks. The researchers say although the discovered vulnerability may allow full inspection of the MSM, it will still be a long way for them to fully exploit the bug and gain access to any device.