Billions of Android mechanisms are exposed to a vulnerability in Qualcomm’s Mobile Station Modem (MSM) chip
A vulnerability in Qualcomm’s Sensitive Station Modem (MSM) chip– installed in around 30% of the world’s movable devices – can be exploited from within Android.
MSM is of great interest to both hackers and researchers looking for in the pipeline it might be exploited remotely by sending an SMS or a crafted radio packet that communicates with the desire and can take control of it. But MSM can also be approached from inside the device – and this was the convey chosen by researchers at Check Point Research (CPR).
MSM is managed within an Android badge by the Qualcomm real-time OS, which is protected by the TrustZone. It cannot be debugged or dropped even on rooted devices, leaving the only possible route to the MSM jurisprudence via a vulnerability.
CPR fuzzed MSM data services looking for a way to patch QuRT as soon as from Android.
QMI is Qualcomm’s proprietary protocol used to communicate between software components in the modem and other non-essential subsystems. The CPR researchers discovered that QMI functions use the Type-length-Value (TLV) format to tote their payload.
CPR used the Quick Emulator Hexagon to fuzz the QuRT handler rles – and discovered a heap overflow vulnerability in the qmi_voicei_srvcc_call_config_req handler (0x64) of the vehicle service.
“To process this packet,” explain the researchers, “the handler allocates 0x5B90 bytes on the modem rafts, extracts the number of calls from the payload into the allocated buffer at countervail 0x10, and then loops to fetch all call contexts into the buffer starting at counterbalance 0x12. Due to the lack of checking for the maximum number of calls, it is possible to out of date the value 0xFF in the number of calls field and thus overwrite in the modem garner up to 0x12 + 0x160 * 0xFF – 0x5B90 = 0x10322 bytes.”
The purpose of the research was to gather up rather than exploit a vulnerability. The intent was to discover vulnerabilities that other researchers could use to grill the MSM chip. A vulnerability was found, so exploitation was not explored by CPR.
A bug report and POC were sent to Qualcomm on October 8, 2020. One week later, Qualcomm ensured the issue and classified it as a high rated vulnerability. In February, it was given the CVE-ID of CVE-2020-11292. Qualcomm has announced the relevant vendors, and developed a patch.
The potential for this vulnerability is gargantuan. Bad actors will need to compromise the device first, but will then be talented to do things previously impossible. “A normal application, or even a ‘root’ devotion which has received highest privileges from the Android operating arrangement,” Yaniv Balmas, Head of Cyber Research at Check Point determined SecurityWeek, “is still unable to ‘normally’ fully interact with the MSM, but single through very small and defined channels.” The bad actor doesn’t make the ability to inspect the MSM, but merely scratch its surface. “The vulnerability we found,” he extended, “may allow full inspection of the MSM, and is the equivalent of running your own application, or delving/inspection tools on the MSM itself.”
The likelihood of a globally effective patch is feasible but will take time with no guarantees. Three primary climatic conditions b rudiments could be considered responsible: Qualcomm, the Android vendors, and Google.
“Qualcomm is absolutely the first link in the chain here,” said Balmas “Qualcomm requisites to fix the issue in its chips, or in the firmware running on it, and then ship it out to all its customers; that is, the animated phone vendors.”
The mobile phone vendors, he continued, need to get the arranges from Qualcomm, “and make sure they are integrated into their unconditional line of phones, including those that are still in the assembly parade, and those that are already circulating in the market.” So, although Qualcomm can fix the originate – and indeed already has – being certain that the fix has reached your own phone is far from sure.
Could Google fix it on Android for everyone? “The general answer,” said Balmas, “is most as likely as not – no.” Balmas believes it will take a while before the Qualcomm fix reaches all phones, but, he explained, “As time progresses, we will hopefully get there.”
Even with the fix in billet, it is probably not the end of the issue. “Even inspection of an older model of modem tokens could still prove to be very valuable. Modem chips are complex, and check hundreds of thousands of lines of code. Consequently, you can definitely expect vulnerabilities inaugurate on 2–3-year-old models to still exist today on newer examples.” Getting hold of an old, unpatched Android phone would not be difficult.
So, who is likely to use this vulnerability? Balmas is relatively diplomatic in his answer: “Researchers will use this vulnerability to further tour MSM and find additional vulnerabilities in it. These researchers might be good or bad – which chiefly depends on your point of view, of course. However, I strongly maintain that the research community will greatly benefit from this – and at the end of the day, end-users intent find themselves more protected than before, even notwithstanding this can also be misused to a certain extent.”
The inference from Balmas’ animadversions is that you may not be safe even if you know your own Android has received the Qualcomm call a truce. It is possible that ‘researchers’ could use the Check Point research to survey an old model and find new vulnerabilities in the MSM that still persist in newer imitations. Good researchers will only be looking for the existence of vulnerabilities – bad researchers will-power be looking to exploit those vulnerabilities. The bad actors will need to connect malware to achieve this – so the only cast iron defense is to not let someone have your Android mobile phone to be compromised in the first place.
Reciprocal: Vulnerabilities in Qualcomm Chips Expose Billions of Devices to Attacks
Reciprocal: Qualcomm Bug Bounty Program Offers $15,000 Payouts
Related: Android Updates for May 2021 Segment Over 40 Vulnerabilities
Related: Recently Patched Android Vulnerability Worked in Attacks