Posted on Friday, May 07 2021 @ 9:34 CEST by Thomas De Maesschalck
Check Point Research security researchers discovered a grave vulnerability in a Qualcomm chip that's used by high-end smartphones made by companies like Google, Samsung, LG, Xiaomi, and OnePlus. A heap overflow vulnerability could potentially be exploited by an attacker to install malware inside Qualcomm’s Mobile Station Modem.
About 31 percent of smartphones are affected
Given how widespread these chips are, it's estimated that 31 percent of the world's smartphones are vulnerable to this attack. Attackers could gain access to a device's call and SMS history, as well as eavesdrop on a user's conversation. ARS Technica
writes Qualcomm has issued a patch but the implementation of these fixes will likely take a lot of time.
The vulnerability is tracked as CVE-2020-11292. Check Point discovered it by using a process known as fuzzing, which exposed the chip system to unusual inputs in an attempt to find bugs in the firmware. Thursday’s research provides a deep dive into the inner workings of the chip system and the general outline they used to exploit the vulnerability.
The research is a reminder that phones and other modern-day computing devices are actually a collection of dozens if not hundreds of interconnected computing devices. While successfully infecting individual chips typically requires nation-state-level hacking resources, the feat would allow an attacker to run malware that couldn’t be detected without time and money.
In the meantime, it's unclear which phones are vulnerable and which ones are not. Many older smartphones are unlikely to get a fix.
