Cybersecurity scientists have disclosed a new security vulnerability in Qualcomm’s cellular station modems (MSM) that could most likely allow for an attacker to leverage the underlying Android functioning technique to slip destructive code into cellular telephones, undetected.
“If exploited, the vulnerability would have allowed an attacker to use Android OS by itself as an entry point to inject destructive and invisible code into telephones, granting them obtain to SMS messages and audio of phone conversations,” scientists from Israeli security business Check Place mentioned in an analysis printed currently.
The heap overflow vulnerability, tracked as CVE-2020-11292, could be exploited by a malicious app to conceal its things to do “beneath” the OS in the modem chip by itself, so generating it invisible to the functioning system and the security protections crafted into it.
Developed considering the fact that the 1990s, Qualcomm MSM chips allows cellular telephones to join to cellular networks and allow Android to choose to the chip’s processor by means of the Qualcomm MSM Interface (QMI), a proprietary protocol that enables the interaction concerning the computer software factors in the MSM and other peripheral subsystems on the device these types of as cameras and fingerprint scanners.
Whilst 40% of all smartphones these days, such as individuals from Google, Samsung, LG, Xiaomi, and One particular In addition, use a Qualcomm MSM chip, an estimated 30% of the products arrive with QMI in them, in accordance to investigation from Counterpoint.
“An attacker could have utilised this vulnerability to inject malicious code into the modem from Android, providing them obtain to the unit user’s contact historical past and SMS, as well as the capability to listen to the system user’s discussions,” the scientists reported. “A hacker can also exploit the vulnerability to unlock the device’s SIM, therefore overcoming the limits imposed by services suppliers on it.”
Check out Point reported it notified Qualcomm of the issue on Oct. 8, 2020, adhering to which the chipmaker notified suitable cell distributors. However, neither Qualcomm’s May possibly 2021 Security Bulletin, which was published on Might 5, nor Google’s month to month Android Security Bulletin point out the vulnerability.
“Offering systems that aid robust security and privacy is a priority for Qualcomm,” the enterprise explained to The Hacker Information through email. “Qualcomm Systems has currently created fixes available to OEMs in December 2020, and we inspire conclude users to update their gadgets as patches turn into obtainable.” The company also stated it intends to involve CVE-2020-11292 in the general public Android bulletin for June.
This is not the initially time critical flaws have been found in Qualcomm chips. In August 2020, Test Position researchers disclosed a lot more than 400 security issues — collectively identified as “Achilles” — in its electronic signal processing chip, enabling an adversary to change the phone into a “great spying tool, without the need of any consumer interaction needed.”
“Cellular modem chips are usually regarded as the crown jewels for cyber attackers, specially the chips manufactured by Qualcomm,” stated Yaniv Balmas, head of cyber investigation at Check out Stage. “An attack on Qualcomm modem chips has the opportunity to negatively have an effect on hundreds of tens of millions of mobile phones across the world.”
Discovered this posting appealing? Stick to THN on Facebook, Twitter and LinkedIn to examine extra exclusive content material we put up.
Some areas of this report are sourced from: