2021 Press Releases

May 10, 2021

Android Users’ Privacy at Risk as Check Point Research Identifies Vulnerability on Qualcomm's Mobile Station Modems

As the number of smartphone users surpasses 3 billion globally, mobile vendors strive to create new technological innovations to improve their devices. With such a competitive and rapidly growing market, vendors often rely on third parties such as Qualcomm to produce hardware and software for phones. 
Qualcomm provides a wide variety of chips that are embedded into devices that make up over 40% of the mobile phone market, including high-end phones from Google, Samsung, LG, Xiaomi and OnePlus. In August 2020, Check Point Research (CPR) found over 400 vulnerabilities on Qualcomm’s Snapdragon DSP (Digital Signal Processor) chip that threatened the usability of mobile phones.
The research was published with the goal of raising awareness about the potential risks associated with the vulnerability. However, we decided not to publish the full technical details until the mobile vendors affected found a comprehensive solution to mitigate the possible risks described. CPR worked with relevant government officials and mobile vendors to assist them in making handsets safer. 
The new vulnerability found this time sits on Qualcomm’s Mobile Station Modems (MSM), a series of system on chips embedded in mobile devices, including its 5G MSM. 5G is the next mobile technology standard succeeding 4G/LTE. Since 2019, countries all over the world have been implementing the infrastructure to enable it. By 2024, it is estimated that there will be 1.9 billion 5G subscriptions worldwide. 
What is MSM? 
MSM has been designed for high-end phones by Qualcomm since the early 1990s. It supports advanced features like 4G LTE and high definition recording. MSM has always been and will continue to be a popular target for security research and for cybercriminals. After all, hackers are always looking for ways to attack mobile devices remotely, such as by sending an SMS or a crafted radio packet that communicates with the device and has the ability to take control of it. Leveraging these 3rd Generation Partnership Project (3GPP) technologies is not the only entry point into the modem. 
Android also has the ability to communicate with the MSM chip’s processor through the Qualcomm MSM Interface (QMI), a proprietary protocol that enables communication between the software components in the MSM and other peripheral subsystems on the device such as cameras and fingerprint scanners. According to Counterpoint Technology Market Research, QMI is present on approximately 30% of all mobile phones in the world. Yet, little is known about its role as a possible attack vector. 
Exploiting MSM data services 
CPR found that if a security researcher wants to implement a modem debugger to explore the latest 5G code, the easiest way to do that is to exploit MSM data services through QMI so could a cybercriminal of course. During our investigation, we discovered a vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor. 
This means an attacker could have used this vulnerability to inject malicious code into the modem from Android, giving them access to the device user’s call history and SMS, as well as the ability to listen to the device user’s conversations. A hacker can also exploit the vulnerability to unlock the device’s SIM, thereby overcoming the limitations imposed by service providers on it. 
A leap for mobile chip research
CPR believe this research to be a potential leap in the very popular area of mobile chip research. Our hope is that finding this vulnerability will allow a much easier inspection of the modem code by security researchers, a task that is notoriously hard to do today.   
CPR responsibly disclosed the information found in this investigation to Qualcomm, who confirmed the issue, defined it as a high-rated vulnerability, and classified it as CVE-2020-11292, notifying the relevant device vendors. 
Tips for organisations and mobile phone users
Mobile devices present a different threat surface than traditional endpoints. Securing these devices requires following mobile-specific security best practices: 

  • Mobile devices should always be updated to the latest version of the OS to protect against the exploitation of vulnerabilities.

  • Only installing apps downloaded from official app stores reduces the probability of downloading and installing a mobile malware 

  • Enable ‘remote wipe’ capability on all mobile devices. All devices should have remote wipe enabled to minimise the probability of loss of sensitive data.

  • Install a security solution on your device.