Qualcomm chips in hundreds of millions of Android phones have a critical security flaw

nanoguy

Posts: 772   +12
Staff member
Why it matters: There are over 3 billion smartphone users around the world and almost a third of those devices use Qualcomm modems that have a large number of vulnerabilities, allowing attackers to unlock your SIM and listen in on your conversations, among other things. Given the way the vast Android ecosystem works, the fix will take a while to reach all affected devices.

If the BLURtooth vulnerability didn't look particularly worrisome, now we have a new security problem that creates a potential backdoor into a third of all mobile phones in the world, including high-end Android phones made by Samsung, LG, Google, OnePlus, and Xiaomi.

According to a report from security firm Check Point Research, it found no less than 400 vulnerabilities on Qualcomm's Snapdragon Digital Signal Processor (DSP) subsystem last year that were eventually patched in November 2020. More recently, however, researchers stumbled upon yet another vulnerability while taking a close look at Qualcomm's Mobile Station Modems.

The Mobile Station Modem is a system-on-a chip that provides all the processing, device management, and wireless networking capabilities on many modern phones. The first of its kind was designed by Qualcomm in 1990, and today it is found on around 40 percent of all smartphones. Check Point researchers looked at how that can be used as a potential attack vector for malicious actors. More specifically, they looked at Android's ability to talk with the MSM's various components and peripherals through a proprietary communication protocol called the Qualcomm MSM Interface (QMI), something that is possible on 30 percent of all smartphones in the world.

The issue they found was of the heap overflow variety, and can be exploited by a malicious actor using an app installed on the phone, either sideloaded or from an alternative app store. Check Point researchers used a process known as fuzzing on the MSM data service to see if they could find a way to inject malicious code inside Qualcomm's real-time OS (QuRT), which is responsible for managing the MSM and is designed to be inaccessible even on rooted Android devices.

The QMI voice service, one of many services exposed by the MSM to the Android operating system, can be used to take over the MSM and inject code in QuRT. The attacker then gets easy access to your SMS and call history, and can start listening in on your voice conversations. Furthermore, they can unlock the SIM using the same vulnerability and bypass all security measures put in place by both Google as well as phone manufacturers.

The good news is that Qualcomm has disclosed the existence of the bug to all affected customers and has already released a patch in December 2020. However, there is no information on which phones will receive the patch -- only the promise that the vulnerability will be included in the public June Android Security Bulletin under CVE-2020-11292.

Given how quickly most Android phone manufacturers stop issuing security patches, it's likely that some lower end devices will remain unpatched, while flagships have a higher chance of receiving the fix in the coming months.

Either way, the vulnerability affects hundreds of millions of phones, including those equipped with the latest Qualcomm Snapdragon 5G-capable mobile platforms -- the Snapdragon 888 and Snapdragon 870.

Permalink to story.

 

Dimitriid

Posts: 558   +960
I think this is one of the few times I'm glad Samsung pushes their Exynox chips for almost all phones on my market. Well unless this somehow affects those chips too but I wouldn't think so.
 

trparky

Posts: 901   +953
And if your phone is older than two or three years, you're going to be SOL. This is the part that I was alluding to in another Android-related thread here on this site. Good luck, many of you are going to need it.
 

defaultluser

Posts: 148   +102
And if your phone is older than two or three years, you're going to be SOL. This is the part that I was alluding to in another Android-related thread here on this site. Good luck, many of you are going to need it.

As long as you don't sideload / use alternative app stores, this sounds like a nothingburger.

On Android, you can get major emulators through the Play Store.

I'm a bit miffed that my Pixel 2 won't get a fix for this, but I really don't care enough to change phones.
 

Nanochip

Posts: 27   +22
These man made systems aren’t perfect and are unfortunately subject to vulnerabilities. Intel, AMD, now Qualcomm. Good that there is a software patch that can address this. But many phones will remain unpatched and thus vulnerable, unfortunately.
 

Mr Majestyk

Posts: 731   +623
OMG for once it pays to have an Exynos SoC for Samsung.

400 security flaws is pretty astounding in a bad way. Did they deliberately go out of their way to make their DSP vulnerable?
 

Watzupken

Posts: 205   +182
These man made systems aren’t perfect and are unfortunately subject to vulnerabilities. Intel, AMD, now Qualcomm. Good that there is a software patch that can address this. But many phones will remain unpatched and thus vulnerable, unfortunately.
This is correct. There are no perfect chips, I.e. no vulnerability. It is just a matter of whether people really take a deep dive to investigate before they find something. And yes, the unfortunate fact is that many phones will continue to be left unpatched, especially those mid and low range phones which phone makers generally don't care.
 

Watzupken

Posts: 205   +182
I think this is one of the few times I'm glad Samsung pushes their Exynox chips for almost all phones on my market. Well unless this somehow affects those chips too but I wouldn't think so.
OMG for once it pays to have an Exynos SoC for Samsung.

400 security flaws is pretty astounding in a bad way. Did they deliberately go out of their way to make their DSP vulnerable?

I think you've mistaken no news as good news here. I don't have to be some expert in this field, but I can confidently tell you that there are no chips out there that has 0 vulnerability. You can achieve close to 100% security if you choose not to connect online at all and not let anyone other than yourself use it.
 

duckofdeath

Posts: 375   +479
I think you've mistaken no news as good news here. I don't have to be some expert in this field, but I can confidently tell you that there are no chips out there that has 0 vulnerability. You can achieve close to 100% security if you choose not to connect online at all and not let anyone other than yourself use it.
Sure, but for a critical core feature as this, it is borderline criminal to sell it year after year with a fatal flaw. Especially on mobile where they know they're not getting the monthly guaranteed updates like your PC.
 

Watzupken

Posts: 205   +182
Sure, but for a critical core feature as this, it is borderline criminal to sell it year after year with a fatal flaw. Especially on mobile where they know they're not getting the monthly guaranteed updates like your PC.
Some of these vulnerabilities don't surface or get exposed immediately. I mentioned exposed here because I feel chip makers may know that there are potential vulnerabilities with a design, but due to the constant race to make a faster chip, they chose to make that compromise. It may take years before they get caught. If you look at Meltdown and Spectre, both of these have been around and impacting chips dated back to a decade or more. That's why I said, no news does not mean good news because in your heart you know that there is no flawless chip. In fact, there is nothing man made that is perfect.
 

Irata

Posts: 1,452   +2,339
That is precisely the thing to worry about. For them vulnerabilities are opportunities.

Unlike for the other side ? I think it‘s safe to say that intelligence agencies world wide appreciate them. The question is always if cybercriminals can exploit them, as well.

Huawei already makes - or better made - their own ARM chips.

 

Nobina

Posts: 3,058   +2,860
Motorola will have a fix rolling out in 2048.
But for the current year flagship phone, the rest get nothing :joy:

Seriously, with so many vulnerabilities in every piece of hardware and software I wonder how are people not getting hacked left and right...oh, because it's not done with a press of a button, you're not a "target" and you have about the same amount of chance to get hacked as you have winning the lottery.
 

Mr Majestyk

Posts: 731   +623
I think you've mistaken no news as good news here. I don't have to be some expert in this field, but I can confidently tell you that there are no chips out there that has 0 vulnerability. You can achieve close to 100% security if you choose not to connect online at all and not let anyone other than yourself use it.
Didn't mention anything about 0 vulnerabilities, but if you have proof all chips have such huge numbers of vulnerabilities please provide a link.
 

BadThad

Posts: 511   +495
And you have all the fools out there using their phones for banking and other secure transactions. No thanks, I'll stick to my PC for ANYTHING requiring security.
 

ziffel66

Posts: 104   +151
Seems like there's 5 of these "critical" security flaws every year, in various systems. They get reported on, then you never hear about them again.
 

Athlonite

Posts: 240   +85
And you have all the fools out there using their phones for banking and other secure transactions. No thanks, I'll stick to my PC for ANYTHING requiring security.

LOL I was just thinkin the exact same thing no way in hell am I putting banking aps and or credit card details on a phone