Check Point Research (CPR) found a security vulnerability in Qualcomm’s mobile station modem (MSM), the chip responsible for cellular communication in nearly 40% of the world’s phones. If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them access to SMS messages and audio of phone conversations.
As the number of smartphone users surpasses 3 billion globally, mobile vendors strive to create new technological innovations to improve their devices. With such a competitive and rapidly growing market, vendors often rely on third parties such as Qualcomm to produce hardware and software for phones.
Qualcomm provides a wide variety of chips that are embedded into devices that make up over 40% of the mobile phone market, including high-end phones from Google, Samsung, LG, Xiaomi and OnePlus. In August 2020, Check Point Research (CPR) found over 400 vulnerabilities on Qualcomm’s Snapdragon DSP (Digital Signal Processor) chip that threatened the usability of mobile phones.
The blog was published with the goal of raising awareness about the potential risks associated with the vulnerability. However, we decided not to publish the full technical details until the mobile vendors affected found a comprehensive solution to mitigate the possible risks described. CPR worked with relevant government officials and mobile vendors to assist them in making handsets safer.
on the new vulnerability found this time sits on Qualcomm’s Mobile Station Modems (MSM), a series of system on chips embedded in mobile devices, including its 5G MSM. 5G is the next mobile technology standard succeeding 4G/LTE. Since 2019, countries all over the world have been implementing the infrastructure to enable it. By 2024, it is estimated that there will be 1.9 billion 5G subscriptions worldwide.
MSM has been designed for high-end phones by Qualcomm since the early 1990s. It supports advanced features like 4G LTE and high definition recording. MSM has always been and will continue to be a popular target for security research and for cybercriminals. After all, hackers are always looking for ways to attack mobile devices remotely, such as by sending an SMS or a crafted radio packet that communicates with the device and has the ability to take control of it. Leveraging these 3rd Generation Partnership Project (3GPP) technologies is not the only entry point into the modem.
Android also has the ability to communicate with the MSM chip’s processor through the Qualcomm MSM Interface (QMI), a proprietary protocol that enables communication between the software components in the MSM and other peripheral subsystems on the device such as cameras and fingerprint scanners. According to Counterpoint Technology Market Research, QMI is present on approximately 30% of all mobile phones in the world. Yet, little is known about its role as a possible attack vector.
CPR found that if a security researcher want to implement a modem debugger to explore the latest 5G code, the easiest way to do that is to exploit MSM data services through QMI so could a cybercriminal of course. During our investigation, we discovered a vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor.
This means an attacker could have used this vulnerability to inject malicious code into the modem from Android, giving them access to the device user’s call history and SMS, as well as the ability to listen to the device user’s conversations. A hacker can also exploit the vulnerability to unlock the device’s SIM, thereby overcoming the limitations imposed by service providers on it.
CPR believe this research to be a potential leap in the very popular area of mobile chip research. Our hope is that finding this vulnerability will allow a much easier inspection of the modem code by security researchers, a task that is notoriously hard to do today.
CPR responsibly disclosed the information found in this investigation to Qualcomm, who confirmed the issue, defined it as a high-rated vulnerability, and classified it as CVE-2020-11292, notifying the relevant device vendors.
When it comes to enterprises, Check Point strongly recommends organizations protect the corporate data on their mobile devices by using mobile security solutions. Check Point Harmony Mobile provides real-time threat intelligence and visibility into the mobile threats that could affect businesses, and provides complete protection against the risks associated with the Qualcomm vulnerabilities that have been detailed in this blog.