Checkpoint researchers shed new light this week on a vulnerability affecting a cellular chip embedded in 40% of the world’s smartphones that allows attackers to inject malware and snoop on text and voice conversations.
Back in August 2020, the company unveiled research around 400 different vulnerable pieces of code in Qualcomm’s Snapdragon suite of chip and semiconductor products for mobile devices. In partnership with the company, Checkpoint delayed the release of technical details for some of them until mobile vendors could develop a patch.
One of those vulnerabilities, discovered by security researcher Slava Makkaveev, allowed certain applications to exploit mobile station modems (MSM), a series of systems on chips embedded in many Android phones used to support 4G LTE, high-definition recording, and other features.
One of the ways the Android operating system communicates with the chip processor is through a custom, proprietary interface tool developed by Qualcomm. While investigating this interface, the researchers found a vulnerability that could be exploited to inject malicious code into the modem, take it over and even patch it from the application processor. It also allows a malicious attacker to access the call history, view text messages and listen in on phone calls.
This interface “is present on approximately 30% of all mobile phones in the world but little is known about its role as a possible attack vector,” wrote Makkaveev. “If a researcher wants to implement a modem debugger to explore the latest 5G code, the easiest way to do that is to exploit MSM data services through [Qualcomm’s interface].”
Every system or process that runs on Android has its own level of privilege, and most third-party apps are not able to access the modem. However, certain media files, document management systems like GRM and radio apps can, and if an attacker could find an initial vulnerability in one of those systems, exploiting the MSM would be the second step.
“We estimate exploitation of this is possible and [at] a medium difficulty, so an experienced hacker or researcher would take about two weeks to exploit it,” said Yaniv Belmas, head of cyber research. “If you take into account how many applications that are available to people, statistically there surely might be an application, even a very big or popular application, that might include some vulnerability that will allow you this initial access.”
If a malicious application with access to the modem were found and exploited, the injected code could hide within the modem chip itself, where it could be used to access phone calls and text messages or disable SIM protections.
In a statement, a Qualcomm spokesperson noted that Qualcomm had patches for the bug ready in December 2020 and said they were not aware of any attempts to exploit the vulnerability in the wild:
“Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Check Point for using industry-standard coordinated disclosure practices. Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available.”
The chips are used in phones made by Google, Samsung, LG, Xiaomi and OnePlus. One of the difficulties involved in reporting the bug was identifying and working with chip component manufacturers and mobile vendors up and down the supply chain. Belmas said Checkpoint tried to contact and work with as many as possible to develop patching for different phones; that's one of the reasons they're only releasing the technical details behind the vulnerability now.
“These modem chips, they are the crown jewel of mobile exploitation specifically because if you attack them from the carrier side, you can very easily or relatively easily reach conditions of zero click attacks,” said Belmas. “I just call you or send you an SMS, you don’t actually have to do anything and I have full control of your phone. That’s a nightmare for consumers.”
A technical write up of the vulnerability can be found here.