Very Many Qualcomm Phone Chips Hiding Very Nasty Vulnerability

A high-severity bug affects almost 40% of Android phones. The security hole is in Qualcomm modems—specifically in their software interface to the Android platform.

A heap overflow could be exploited by attackers to inject arbitrary code into the modem. Malefactors can pwn the phone without being detected.

Good luck getting a patch for an old phone. In today’s SB Blogwatch, we check the insurance for an “accidental” fall onto concrete.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Hilarious train remixes.

Time to Get a New Phone?

What’s the craic? Sergiu Gatlan reports—“Qualcomm vulnerability impacts nearly 40% of all mobile phones”:

A high severity security vulnerability found in Qualcomm’s Mobile Station Modem (MSM) chips … could enable attackers to access mobile phone users’ text messages, call history, and listen in on their conversations. [It] could also enable attackers to unlock the … SIM, used by mobile devices to store network authentication info and contact information securely.

To exploit CVE-2020-11292 … attackers have to abuse a heap overflow weakness in the Qualcomm MSM Interface (QMI). … Only installing apps from official app stores should greatly minimize the risk of accidentally installing malicious applications.

Qualcomm developed security updates to address the CVE-2020-11292 security issue and made them available to all impacted vendors … in December 2020. [So] Android users with newer devices still receiving … updates should all be protected against any attempts to compromise their up-to-date devices.

And what about older phones? Gareth Corfield adds—“Code flaw exposed Android smartphones to possible snooping”:

A big target
The software bug … can be abused … thanks to some in-depth jiggery-pokery in the … QMI voice service API. [It has] a CVSSv3 score of 7.8.

QMI … handles communications between a mobile handset’s modem and other peripheral subsystems that humans can jab, poke and wipe their dead fingerprints across. QMI exposes logical ports to the host device CPU through which software on it communicates with the device’s modem, and thence the outside world. … It’s a big target for malicious people: If you can compromise the modem … you can (eventually) listen in on the device’s user.

Who found it? Slava Makkaveev pokes a “Security probe of Qualcomm MSM data services”:

Inject malicious code
MSM is managed by the Qualcomm real-time OS (QuRT) that cannot be debugged or dumped even on rooted Android devices. QuRT’s integrity is ensured by the TrustZone. … In our research, we fuzzed MSM data services so we could find a way to patch QuRT on modern SoCs directly from Android.

Various different services … are exposed via the QMI protocol stack. … Note that the fact that a large number of QMI services are written by multiple authors makes them a good target for security research.

The fuzzer discovered a heap overflow vulnerability in the qmi_voicei_srvcc_call_config_req handler (0x64) of the voice service. … An attacker can use such a vulnerability to inject malicious code into the modem from Android.

[An] attacker controls … 0x106 out of 0x160 bytes per call entry. Note that such a heap overwrite vulnerability allows us to bypass the modem heap canaries, because we have the ability to jump over the obstructing bytes.

But isn’t this one of those ‘airtight hatchway’ arguments? andyman744’s too proud to beg the question: [You’re fired—Ed.]

If I’m reading this correctly, you’d still need to have a malicious program already on a … device for the flaw to actually be exploited?

Not so fast. SandorZoo sees a future for the bug in Harris’s infamous IMSI catcher:

This can be exploited by the cellular base station sending you malformed packets. I guess StingRay and the like will be updated with an option for exploiting [it].

Whom to blame? elbisivni points the finger:

Miserable efforts
Seriously, I do wish there was a viable alternative to Qualcomm in the Android market, or at least that Samsung would pull its finger out and make Exynos even slightly competitive. Qualcomm’s heavy hand even stifles entire nascent markets, such as its miserable efforts at making up-to-date SOCs for smart watches.

But perhaps it’s not as bad as all that? Here’s aRTeeNLCH:

Does Apple have a modem yet?
There’s also Mediatek for the cheap to middle end. New devices are getting better at competing with the last generation of Qualcomm Snapdragon, instead of the generation before that.

So: … Samsung with Exynos, Huawei with HiSilicon Kirin, and Mediatek with … Dimensity. Oh, does Apple have a modem yet, to go with their (PA-Semi) A-series chips?

With a more stoic, pragmatic view, float over to roeboat72:

In your face
This is not that unusual, it seems like back doors are being found in all sorts of hardware and software. It is a forever fight, criminals/governments will look for these backdoors, and companies will be patching them. [Now] I honestly expect for some vulnerability to be found. … Assuming something is secure oftentimes will blow up in your face.

Meanwhile, BAReFO0t channels no such agency’s reaction to the bug:

You mean “feature.”

And Finally:

Czech trains are so musical

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Marco Verch (cc:by)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 579 posts and counting.See all posts by richi