Recently, a high-risk security vulnerability (CVE-2020-11292) was discovered in Qualcomm’s mobile modem MSM chip (including the latest version that supports 5G). Attackers can use this vulnerability to obtain text messages, call records, and monitor conversations of mobile phone users. Even unlock the SIM card remotely! Even more frightening is that the exploitation of this vulnerability cannot be detected by conventional system security functions.
Qualcomm MSM chips include a series of system-on-chips (SoCs) with 2G, 3G, 4G and 5G functions, all of which have this high-risk vulnerability. At present, about 40% of the world’s mobile phones use MSM chips, including products from many mobile phone suppliers including Samsung, Google, LG, OnePlus and Xiaomi.
According to Check Point researchers, “If the vulnerability is exploited, an attacker will be able to use the Android operating system itself as an entry point to inject malicious and hidden code into the phone.” The vulnerability is numbered CVE-2020-11292.
The security breach can even enable an attacker to unlock the user identification module (SIM) of the mobile device, which stores the user’s network authentication information and contact information.
Can be exploited by malware to evade detection
To exploit the CVE-2020-11292 vulnerability and control the modem, dynamically update from the application processor, the attacker needs to exploit a heap overflow vulnerability in the Qualcomm MSM software interface (QMI) in the Qualcomm mobile phone chip.
QMI is a proprietary protocol used to communicate between software components in the modem and other peripheral subsystems.
QMI provides a variety of different services, which are exposed through the QMI protocol stack on one or more QMI ports. Take the SM8150 SoC on Google Pixel4 mobile phone as an example. The modem can export about 40 services, including:
Wireless Data Service (WDS)
Equipment Management Service
Network Access Service (NAS)
Wireless Messaging Service (WMS)
Card Application Toolkit Service (CAT)
Phone Book Manager Service (PBM)
Wireless data management service
In addition, different mobile phone manufacturers can also add their own services to the default services provided by Qualcomm. For example, LG’s LGE resim service has added a service that can handle SIM card unlock requests in its T-Mobile phones.
What’s more dangerous than obtaining “super permissions” is that malicious programs can also use this vulnerability to hide their activities under the security protection of the modem chip itself, so that they cannot be discovered by the malware detection function of the Android system. Because MSM is managed by Qualcomm real-time operating system (QuRT), the integrity of QuRT is guaranteed by TrustZone. There is only one possible way to dynamically detect the modem, which is to use vulnerabilities. (Even mobile phones with root privileges cannot debug MSM).
“We finally proved that there is a dangerous vulnerability in these (Qualcomm) chips, revealing how attackers can use the Android operating system itself to unknowingly inject malicious code into mobile phones.” Yaniv, head of network research at Check Point Balmas said.
It is reported that Check Point disclosed the vulnerability to Qualcomm in October 2020, and later Qualcomm confirmed their research, rated the security vulnerability as a high-risk vulnerability and notified the relevant suppliers.
In order to protect themselves from attacks using such vulnerabilities or related malware, Check Point recommends that Android phone users update their devices to the latest version of the Android operating system as soon as possible.
In addition, security experts once again emphasized that users should install applications from the official Android application store, which can greatly reduce the risk of accidentally installing malicious applications.
Check Point’s report today provides more technical details about the CVE-2020-11292 vulnerability. (The link to the report is at the end of the article)
Nearly 30% of Android users are facing “nowhere”
After receiving the Check Point report, Qualcomm has developed a security update program to address the CVE-2020-11292 security issue, and will provide it to all affected vendors two months later in December 2020.
A Qualcomm spokesperson said: “Technology that provides strong security and privacy is Qualcomm’s priority. We commend Check Point’s security researchers for adopting industry-standard coordinated disclosure practices.”
“Qualcomm Technologies has provided a fix for OEMs in December 2020, and we encourage end users to update their devices when the patch is available.”
Given that Qualcomm sent the CVE-2020-11292 patch to OEMs last year, users of newer Android phones that normally receive system and security updates will not be threatened.
Unfortunately, in the past few years, a large number of users who have not switched to a newer Android version may not be so lucky.
According to data from StatCounter, as a whole, 19% of Android devices are still running Android Pie 9.0 (released in August 2018), and more than 9% of users are still using Android 8.1 Oreo (released in December 2017) .
It is worth noting that Qualcomm’s chip products have repeatedly exposed high-risk vulnerabilities in recent years.
Last year, Qualcomm repaired the vulnerability of the Snapdragon processor’s digital signal processor (DSP) chip. Attackers can control smartphones without user interaction (zero clicks), monitor mobile phone users, and create undetectable malware .
Qualcomm also fixed the security vulnerability Kr?k in July 2020, which can be used to decrypt certain WPA2 encrypted wireless network data packets.
In 2019, Qualcomm also repaired two vulnerabilities in the Snapdragon SoC WLAN firmware that could lead to unauthorized access to critical data. Hackers can use these two vulnerabilities to perform air intrusion into the modem and Android system kernel.