With the number of smartphone users worldwide exceeding 3 billion, mobile service providers are striving to develop new technological innovations to improve their devices. In such a competitive and rapidly growing market, vendors often rely on third parties, such as Qualcomm, to produce hardware and software for mobile phones.
Qualcomm offers a variety of chips embedded in devices that represent more than 40% of the mobile phone market, including high-end phones from Google, Samsung, LG, Xiaomi, and OnePlus. In August 2020, Check Point Research (CPR) discovered more than 400 vulnerabilities in Qualcomm’s Snapdragon DSP (digital signal processor) chip, which threaten the usability of mobile phones.
The blog was published to raise awareness of the potential risks associated with the vulnerabilities. However, we decided not to release the full technical details until the affected mobile device vendors found a comprehensive solution to mitigate the potential risks outlined. CPR works with relevant government officials and mobile phone providers to help them improve the security of mobile phones.
The new vulnerability discovered this time is in Qualcomm’s Mobile Station Modem (MSM), which is a series of systems-on-chips embedded in mobile devices, including its 5G MSM. 5G is the next mobile technology standard after 4G / LTE. Since 2019, countries around the world have been implementing infrastructure to achieve this goal. It is estimated that by 2024 there will be 1.9 billion 5G users worldwide.
MSM was designed by Qualcomm for high-end phones in the early 1990s. It supports advanced features like 4G LTE and HD recording. MSM has been and will continue to be a popular target for security investigation and cybercriminals. After all, hackers are always looking for ways to remotely attack mobile devices, such as sending SMS or communicating with the device and being able to control it with elaborate radio packets.
Utilizing these third-generation partnership project (3GPP) technologies is not the only entry point to the modem. Android also has the ability to communicate with the MSM chip processor through the Qualcomm MSM Interface (QMI), which is a proprietary protocol, it can realize the communication between communication. Software components in MSM and other peripheral subsystems of the device (such as cameras and fingerprint scanners).
According to a survey by Counterpoint Technology Market Research, QMI exists in approximately 30% of mobile phones worldwide. Yet people hardly understand its role as a possible attack vector.
Do you use the MSM data service? CPR found that if security researchers want to implement a modem debugger to explore the latest 5G code, then the easiest way is to use MSM to provide data services through QMI and of course they can also become cybercriminals.
During the investigation, we discovered a vulnerability in the modem data service that can be used to control the modem and dynamically patch it from the application processor, which means that an attacker may have used this vulnerability to inject malicious code from Android into the modem.
So that they can access the call and SMS history of the device user, as well as the ability to listen to the conversations of the device user. Hackers can also use this vulnerability to unlock the device’s SIM card, thereby bypassing the restrictions imposed by the service provider.
We hope that the discovery of this vulnerability will make it easier for security researchers to inspect the modem code, which is a task that is notoriously difficult to complete today.
CPR responsibly disclosed the information found in this investigation to Qualcomm, and Qualcomm confirmed the issue. It also defined critical vulnerabilities, classified them as CVE-2020-11292, and notified the relevant equipment vendors.