Qualcomm Modem Chip Flaw: Millions of Android Phone Users May Have to Pay the Price for Unchecked Development


Check Point Researchers in October 2020 found a major flaw in Qualcomm chipsets for Android smartphones, that can allow hackers to access device data. Almost seven months on, patch for the vulnerability may not be available for millions. Here’s possibly why.

Researchers at Check Point Security have discovered a high impact vulnerability within the Qualcomm Mobile Station Modem (MSM) chips used on nearly a billion Android smartphones. Tracked as CVE-2020-11292Opens a new window , the vulnerability was discovered earlier  and was notified to Qualcomm immediately.

The CVE-2020-11292 vulnerability makes it possible for hackers to illicitly inject malicious code and access personal information of users stored on vulnerable devices. The vulnerability resides on approximately 30% of all mobile devicesOpens a new window including  the latest 5G smartphones by Samsung, OnePlus, Google, Xiaomi, etc.

Check Point researchers found that the flaw allows them to peek into the MSM SoC, which is generally off limits to everyone. The company did clarify that their purpose was purely research-oriented  with the intention to find any attack vectors, and was not malicious.

See Also: NVIDIA Fixes 11 High-Severity Flaws in GPU Display Drivers and vGPUs

Why is the Qualcomm Mobile Station Modem Off Limits?

Qualcomm MSM was designed in the 1990’s to enable mobile phones (and now smartphones) running on any sort of OS (now Android) to connect with cellular networks and utilize the chip’s processor to communicate regarding different operational elements for multiple hardware components and peripheral subsystems on the device with the embedded MSM software.

MSM is accessible only via the Qualcomm MSM Interface (QMI), a proprietary communication protocol, while the overall interaction between the SoC and the Android OS is managed by the Qualcomm Real Time OSOpens a new window . “MSM is managed by the Qualcomm real-time OS (QuRT) that cannot be debugged or dumped even on rooted Android devices. QuRT’s integrity is ensured by the TrustZoneOpens a new window ,” explainedOpens a new window Check Point.

Qualcomm MSM is a gateway to delivering several services that are central to the functioning of a smartphone. These include wireless data service, device management service, network access serviceOpens a new window , wireless message service, authentication service, voice service, phone book manager service, wireless data administrative service, etc.

So if an attacker manages to compromise an Android device with an open MSM, they would be able to get hold of the underlying SoC and some or maybe all of the above service processing capabilities. This is why it is crucial the MSM remains inaccessible.

CVE-2020-1129 and Its Impact

Check Point discovered the vulnerability using an automated software testing technique called fuzzing.  It is a rigorous testing methodology in which malformed/semi-malformed data is fed into application testing protocols. Malformed data means impaired data, rather vast amounts of randomized data that can cause the application to malfunction or crash, potentially revealing any underlying bugs.

CVE-2020-11292 is a heap overflowOpens a new window vulnerability that exposes the MSM to Android via a QMI voice service API. By exploiting CVE-2020-11292, threat actors are free to do exactly the opposite of what Qualcomm intended to do with MSM, which is to keep them out.

As a result, an attacker could access users’ text messages, flip through the call history, eavesdrop on users by listening to their conversations with others, insert malicious code, and unlock the subscriber identification moduleOpens a new window (SIM) card. SIM is implemented in mobile devices by network operators to securely store contact information and network authentication information.

However, the most disconcerting fact about the weakness is that an attacker could conceal their malicious activities on the MSM, under the garb of the device OS, effectively rendering manufacturer level  Android protections irrelevant.

CVSS score of the security flaw is unavailable at the moment although going by the opportunities it presents for hackers and curiously enough researchers alike, it is evident that all relevant stakeholders such as smartphone and device mobile manufacturers need to take charge in patching things up.

Technical details of CVE-2020-11292 are available on this blogOpens a new window by Check Point.

See Also: What To Expect From the Changing Threat Landscape in 2021

The Solution: How Real

Considering Qualcomm MSM system on chips (SoCs) are used on devices by the biggest smartphone vendors in the world, and the fact that they’re capable of 2G, 3G, 4G, besides 5G networks, the attack surface area is significant. This is why researchers’ advice to users is to update to the latest Android version which their device supports, as well as to install applications only from Google’s official app store, the Play Store.

Additionally, a patch by Qualcomm for CVE-2020-11292 has been available since December 2020, and is rolled out to users by their respective OS vendors. So if your smartphone is still relatively new and received an update in the past few months or is slated to receive updates in coming months, you should be fine.

Others, however, may not be so lucky since there’s tons of devices running on unsupported Android versions. Of the total ~3.8 billionOpens a new window smartphones in the world, approximately one third run on Qualcomm chips. And of these ~1 billion, just over 20% still have Android versions with no update support.

35.8% of devicesOpens a new window that do receive updates have Android 10, 19.3% have 9.0 (Pie), 14.9% have 8.0-8.1 (Oreo), while 9.2% have Android 11.

The problem here is that even the supported devices have different vendors, each with varied OS customizations and multiple device models, all of which have a different timeline of update schedules. So an update for Galaxy Z Fold 2 by SamsungOpens a new window may come at a different time than the one for Galaxy A52 5G or other devices by other companies. Even though the May 2021Opens a new window security patch has been out, however, it’s not clear if it addresses the cited vulnerabilities.

Closing Thoughts

The absence of any clear timelines and the fact that there are multiple steps to go down before any update is out are indicative of a vast and fragmented Android ecosystem.

The Android Open Source ProjectOpens a new window certainly has helped  propel the OS to the top withaccess to  83.8%Opens a new window of the total smartphone market share. However, it inadvertently has caused certain irregularities when it comes down to pressing issues such as the delivery of something as urgent as a security update.

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!