A vulnerability found in chips manufactured by Qualcommm Inc. that are used in 40% of the world’s smartphones can allow an attacker to inject malicious code.
Discovered and publicized today by security researchers at Check Point Software Technologies Ltd., the vulnerability is found in Qualcomm’s mobile station modem, the chip responsible for cellular communication. MSM is designed for high-end phones and supports advanced features such as 4G LTE and high-definition recording.
The vulnerability was discovered when a security researcher went to implement a modem debugger to explore the latest 5G code. During the investigation, it was discovered that the vulnerability in the modem data service can be used to control the modem and dynamically patch it from the application processor.
With this ability, attackers could inject malicious code into the modem from Android, giving them access to the device user’s call history and SMS as well as the ability to listen to the device user’s conversions. An attacker could also unlock the device’s SIM, overcoming any limitations imposed by service providers.
The MSM can be found in higher-end devices made by Google LLC, Samsung Electronics Co. Ltd., LG Inc., Xiaomi Inc. and OnePlus Technology Co. Ltd. The vulnerability was discovered in 2020 and Check Point informed Qualcomm at the time.
Qualcomm said that it had already made fixes available to original equipment manufacturers in December, though the current status of the rollout by smartphone makers is unknown. The patch may have been rolled out to recent smartphones but often companies abandon providing support updates for devices after a certain number of years. That menas older devices will not receive a security update and hence remain vulnerable.
“This newest security issue with Qualcomm highlights the importance of thorough security vetting pre and post-deployment,” Shachar Menashe, vice president security at product security company Vdoo Connected Trust Ltd., told SiliconANGLE. “In this case, it seems we are dealing with a privilege escalation vulnerability, which means it lets potential attackers run code on the Qualcomm modem if you already have high privileges on the Android application layer. ”
“Automated analysis can help identify zero-day vulnerabilities and configuration risks, even in closed-source components,” Menashe added. “Manufacturers need to trust that their third-party components are secure, especially when these systems are used in nearly 40% of the mobile phones sold today.”
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.