Recently, a critical chip flaw was discovered in Qualcomm’s Mobile Station Modem (MSM), a system of chips that run on nearly one third of the world’s smartphones, mostly higher-end devices. Now, a fix for the vulnerability is headed to Android devices.
The bug was discovered by researchers at Check Point Research. The MSM helps run things like SMS, voice, and high-definition recording and is primarily found on higher-end devices from LG, Samsung, Xiaomi, Google, and OnePlus. Phone manufacturers can add on to the functionality of these chips to handle tasks like SIM unlock requests.
The root of the problem is that the buffer overflow can be exploited by malicious app installations which can then plant malicious and nearly undetectable code into the device’s MSM that can potentially affect some of the device’s most vital functions.
“This means an attacker could have used this vulnerability to inject malicious code into the modem from Android, giving them access to the device user’s call history and SMS, as well as the ability to listen to the device user’s conversations,” stated the researchers. “A hacker can also exploit the vulnerability to unlock the device’s SIM, thereby overcoming the limitations imposed by service providers on it.”
A spokesperson from Check Point Research, Ekram Ahmed, told Ars Technica that Qualcomm has released a patch and disclosed the bug to all affected customers. “From our experience, the implementation of these fixes takes time, so some of the phones may still be prone to the threat. Accordingly, we decided not to share all the technical details, as it would give hackers a roadmap on how to orchestra an exploitation.”
Likewise, Qualcomm released a statement saying “Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Check Point for using industry-standard coordinated disclosure practices. Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available.”
The chip flaw, tracked as CVE-2020-11292 was discovered using a process called fuzzing. The process exposes the chip system to unusual inputs which then help detect bugs in the firmware. While the implications of the vulnerability are frightening, they’ve also given security researchers more information and will make future security measures and detection easier.
via Ars Technica