A now patched security flaw discovered in Qualcomm's MSM chips could have allowed attackers to gain access to the the SMS messages and phone conversations of around a third of the world's Android smartphones (opens in new tab).
Qualcomm (opens in new tab) is one of the largest chipmakers around today and its chips are currently found in over 40 percent of smartphones including high-end devices from Google, Samsung, LG, Xiaomi and OnePlus.
The vulnerability, tracked as CVE-2020-11292, was discovered by security researchers at Check Point Research (opens in new tab) when using a process known as fuzzing (opens in new tab) to test Qualcomm's mobile station modem (MSM) for flaws in its firmware.
- We've built a list of the best endpoint protection software (opens in new tab) available
- These are the best antivirus (opens in new tab) software solutions on the market
- Also check out our roundup of the best malware removal software (opens in new tab)
The chipmaker has also created a proprietary protocol called Qualcomm MSM Interface (QMI) that enables its MSM chips to communicate with other peripheral subsystems on an Android device such as cameras and fingerprint scanners. According to the technology market research firm Counterpoint, QMI is found on approximately 30 percent (opens in new tab) of all mobile phones worldwide though little is known about its role as a possible attack vector.
MSM vulnerability
During its investigation, Check Point discovered a vulnerability in Qualcomm's MSM chips that can be used to control a smartphone's modem and dynamically patch it from the application processor.
As a result, an attacker could have leveraged the vulnerability in question to inject malicious code (opens in new tab) into a device's modem from Android which would give them full access to a user's call history and text messages as well as the ability to listen to a user's phone conversations. Additionally, a hacker could also exploit the vulnerability to unlock a device's SIM.
Check Point responsibly disclosed its discovery to Qualcomm and the chipmaker developed a patch for the issue while also notifying the relevant smartphone vendors. Users should apply the latest updates from their smartphone manufacturer to protect them from any possible exploits in the wild.
Qualcomm also reached out to TechRadar Pro and a company spokesperson urged Android users to install the latest patches when they become available, saying:
“Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Check Point for using industry-standard coordinated disclosure practices. Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available."
In order to protect against similar vulnerabilities, Check Point recommends that users update their operating system to the latest version, only install apps from official app stores like the Google Play Store (opens in new tab) and install a mobile antivirus (opens in new tab) for additional protection. Organizations meanwhile should enable 'remote wipe' capability for all of their employee's work devices to minimize the probability of loss of sensitive data.
- We've also highlighted the best firewall (opens in new tab)
Via Ars Technica (opens in new tab)