An Estimated 30% of All Smartphones Vulnerable To New Qualcomm Bug

Around a third of all smartphones in the world are believed to be affected by a new vulnerability in a Qualcomm modem component that can grant attackers access to the device's call and SMS history and even audio conversations. From a report: The vulnerability -- tracked as CVE-2020-11292 -- resides in the Qualcomm mobile station modem (MSM), a chip that allows devices to connect to mobile networks. First designed in the early 90s, the chip has been updated across the years to support 2G, 3G, 4G, and 5G cellular communications and has slowly become one of the world's most ubiquitous technologies, especially with smartphone vendors.

Devices that use Qualcomm MSM chips today include high-end smartphone models sold by Google, Samsung, LG, Xiaomi, and OnePlus, just to name a few. But in a report published today by Israeli security firm Check Point, the company said its researchers found a vulnerability in Qualcomm MSM Interface (QMI), the protocol that allows the chip to communicate with the smartphone's operating system. Researches said that malformed Type-Length-Value (TLV) packets received by the MSM component via the QMI interface could trigger a memory corruption (buffer overflow) that can allow attackers to run their own code.

So you need malicious code running on the phone

[fred6666]

And that code likely needs root privileges, isn't it?

Re:

[fred6666]

and it might already be patched on phones, at least those getting updates...

Re:

[SandorZoo]

The article says this can be exploited by the cellular base station sending you malformed packets. I guess StingRay [wikipedia.org] and the like will be updated with an option for exploiting this vulnerability.

From the fine article:

Check Point says that exploiting the vulnerability can’t be done by hiding the malformed TLV packets inside third-party apps running on the OS, especially on Android, where the MSM component is protected by SELinux security policies.

However, researchers say that the TLV packet can be hidden inside radio (cellular) communications or multimedia content sent to the device, which, when unpacked, can reach the vulnerable QMI interface.

Re:

[bill_mcgonigle]

> The article says this can be exploited by the cellular base station sending you malformed packets.

Thanks for reporting the essential fact. I suspected this might be true.

The only real solution at this point is to have a phone for pedestrian conversations but then run a hotspot on it and on a non-phone device connect over VPN to the Internet.

Who makes a good holster for two phone-sized devices?

> I guess StingRay and the like will be updated with an option for exploiting this vulnerability.

Damn right

Re:

[youn]

Arguably, this would not really protect not necessarily protect you, it mostly moves the problem and adds an extra layer of complexity.

You're assuming the second phone is not vulnerable, no lateral movement from intruder, the voip server is secure-the next vulnerability is likely going be targetting something else

a simpler solution is update the phone or get a newer one if it can't be updated

Re:

[Bodie1]

"and on a non-phone device"

Re:

[fred6666]

The article says this can be exploited by the cellular base station

Are you saying my carrier could get access to my call and SMS history using that exploit?
Don't they already have all that information anyways?

So basically, this exploit could be usable if someone accessed the cellular base station to insert malicious code, and my device is not patched already.

Re:

[sjames]

So can anyone with a stingray.

Re: So you need malicious code running on the phon

[aRTeeNLCH]

As others commented, Stingray devices, or just base stations that are not of your mobile provider, can get that data. Seems serious to me.

Re:

[fred6666]

If anybody can get a stingray device and get my phone to connect to it, then yes, sure, this is serious. Otherwise, do you mean when I am roaming?
I thought cell phones didn't connect to random base stations like that. Maybe I was naive.

Re: So you need malicious code running on the pho

[aRTeeNLCH]

Indeed, Stingray devices are not so easy to get a hold of, but I know someone who drive around with one for the Dutch police... Roaming and the like: correct, but not just when you are abroad. Whenever your phone has the message "emergency numbers only" it may be connected to a base station that's not part of your operator's network.

Re:

[fred6666]

what if I don't use calls and SMS? I only use the internet and my important stuff is encrypted anyways.

Re: So you need malicious code running on the pho

[aRTeeNLCH]

Then you're not much impacted by this security issue, contrary to most people. Anything important should be encrypted, like with Signal.

Re:

[Luckyo]

Straight from the story:

>During our investigation, we discovered a vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor. This means an attacker could have used this vulnerability to inject malicious code into the modem from Android, giving them access to the device user’s call history and SMS, as well as the ability to listen to the device user’s conversations. A hacker can also exploit the vulnerability to unlock

Re:

[UnknowingFool]

Then there's the fact that this is probably already patched on phones supported by the manufacturers anyway, as the vulnerability was disclosed last year and Qualcomm released relevant patches to vendors after that.

It should be patched by now. But the problem is whether or not those vendors released the patch to users. Some vendors are better than others about updating.

Re:

[Luckyo]

That's why I made a qualifier that you quoted, "on phones supported by the manufacturers".

Re:

[theshowmecanuck]

Also one of the reasons Google won't provide security updates to its OS's for a reasonable length of time, like Apple does. Force people to buy new phones from them just for security. And if you have seen my past posts, I'm not even an Apple fan by any stretch of the imagination. But they do support their stuff better than Google does.

You mean "feature"!

[BAReFO0t]

Signed,

NSA

Re:

[fred6666]

You really think the NSA needs this to access call and SMS history? They can just get it straight from the carriers when they need to.

Huawei phones?

[dwater]

How can I find out what chip is in my Mate 30 Pro? I was hoping it had no US chips in it...

Re: Huawei phones?

[bumblebees]

https://m.gsmarena.com/huawei-... [gsmarena.com]

Ha

[Luthair]

Jokes on you Mr Hacker, I don't use my phone to call or text, and neither does anyone else these days ;)

Re:

[JohnnyMindcrime]

That's all very well but then I suspect you are entirely susceptible to "Mr. Tracker" in that case.

If you're not using phone calls and texts, then you're probably using VoIP and closed source messaging services on a Google or Apple phone that is tracking you 24x7 using wi-fi triangulation that knows exactly where you are at all times to within a distance of 2m - not to mention the additional tracking through apps from Apple, Google, Facebook, etc.

My Android phones and tablets are all de-Googled. Calls, text

Im sure its by design

[bumblebees]

Are not those processors mostly used in USA and China? Atleast on Samsung.

Re:

[fred6666]

Samsung is the exception. It has its own Exynos CPU line. Most other manufacturers don't and rely on Qualcom for their high end. Huawei is another notable exception.
And even Samsung appears to be split about 50% Exynos/Snapdragon (Qualcomm).

Re: Im sure its by design

[aRTeeNLCH]

There's also Mediatek for the cheap to middle end, new devices are getting better at competing with the last generation of Qualcomm Snapdragon, instead of the generation before that. So: Qualcomm with Snapdragon, Samsung with Exynos, Huawei with HiSilicon Kirin, and Mediatek with all kinds, top designs are currently branded Dimensity. Oh, does Apple have a modem yet, to go with their (PA-Semi) A-series chips?