Cybersecurity specialists reported the finding of a critical vulnerability in Mobile Station Modem (MSM) telephone chips, developed by Qualcomm and compatible with 5G technology. Successful exploitation of this flaw would allow threat actors to access sensitive details including phone numbers, call history and even spy on live calls.
This is a series of chip systems (SoC) with 2G, 3G, 4G and 5G capabilities that are currently used in around 40% of smartphones around the world, including manufacturers such as Samsung, Google, LG, OnePlus and Xiaomi.
Check Point experts, responsible for the finding, mention that the flaw tracked as CVE-2020-11292 would have allowed malicious hackers to use the Android operating system as an access point for inadvertent injection of malicious code: “Vulnerability would also allow threat actors to unlock the subscriber identification module (SIM), used by mobile devices to store authentication information and contacts.”
Exploiting the attack requires abuse of a stack overflow weakness in the Qualcomm QMI interface, used by smartphone processors to interact with the stack software. Hackers could also use malicious apps to hide their activity using the modem’s own chip, becoming virtually invisible to any mobile security mechanism for the Android system.
Researchers presented their findings to Qualcomm in October 2020, at which point ways to address the problem began to be planned. For security, users of affected deployments are encouraged to upgrade to the latest available versions of their operating system as soon as possible. As usual, users are also advised not to install mobile apps downloaded from platforms outside the official Google store.
After receiving the Check Point report, Qualcomm developed security updates to address the flaw, contacting affected vendors for proper distribution. In this regard, a company spokesperson mentioned: “Providing appropriate technologies for user security and privacy is one of our most important goals; we thank Check Point researchers for providing vital information for the treatment of this security flaw.”
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.