A recently discovered vulnerability inside Qualcomm-produced phone chips could be exploited to gain access to data on affected devices, allowing an intruder to snoop on phone calls and text messages.
The bug, which was discovered and disclosed by security firm Check Point Research, may be exploitable on a whopping 30 percent of the world’s phones. Qualcomm contracts with major Android phone sellers like Samsung, Google, Xiamoi, LG, and others, providing chips for hundreds of millions of devices worldwide.
While researchers say that the vulnerable chips are found in about 40 percent of the global phone population, only (“only”) about 30 percent of phones in the world come equipped with a particular proprietary interface, the Qualcomm MSM Interface (QMI), necessary for attacks to be conducted.
The affected hardware—the mobile station modem (MSM)—are systems-on-a-chips, responsible for providing capabilities to a majority of the important components within the phone. The attack theorized by Check Point would necessitate access to the operating system of a targeted device, though this access could be quite easily accomplished via a malicious trojanized app or some other method that allowed an attacker to gain surreptitious entry.
Once inside, an attacker could inject malicious code into the modem to reveal sensitive information, researchers write. An attack of this kind would hijack a phone’s QMI, which is the protocol that governs communication between the different software components within the MSM. Such exploitation could allow access to text messages and call history and could also allow a hacker to listen in on a user’s calls. In some cases, they could also gain access to the contents of a device’s SIM card, researchers write.
“Cellular modem chips are often considered the crown jewels for cyber attackers, especially the chips manufactured by Qualcomm,” said Yaniv Balmas, Head of Cyber Research at Check Point. “An attack on Qualcomm modem chips has the potential to negatively affect hundreds of millions of mobile phones across the globe...We ultimately proved a dangerous vulnerability did in fact exist in these chips, revealing how an attacker could use the Android OS itself to inject malicious code into mobile phones, undetected,” said Balmas. “My main message to Android users is to update to the latest OS of your mobile OS.”
The new research has resulted in an official vulnerability classification, which you can find here. Unfortunately, it’s not yet 100 percent clear whether all of the patches for it have yet been issued. The industrial patching system works in a sort of trickle-down way—with a big distributor like Qualcomm issuing an update, followed by phone makers applying their own fixes. According to a report from The Record, it isn’t clear which or how many of the phone companies have done this yet.
“The mobile vendors themselves must apply the fix,” a representative from Check Point told The Record. “Qualcomm says it has notified all Android vendors. We do not know who or who did not patch.” A Qualcomm spokesperson apparently told Ars Technica that he recommends consumers contact their phone manufacturer to understand the status of patches for their specific device.