Check Point’s Slava Makkaveev published a blog post on Thursday highlighting a security flaw in Qualcomm’s Mobile Station Modem Interface “that can be used to control the modem and dynamically patch it from the application processor.”
“An attacker can use such a vulnerability to inject malicious code into the modem from Android. This gives the attacker access to the user’s call history and SMS, as well as the ability to listen to the user’s conversations,” Makkaveev wrote.
“A hacker can exploit the vulnerability to unlock the SIM, thereby overcoming the limitations of the service providers imposed on the mobile device,” he added, explaining that the Qualcomm Mobile Station Modem Interface enables the chip to communicate with the operating system found within the smartphone.
The Check Point report noted that the Qualcomm Mobile Station Modem Interface can be found in an estimated 30% of all smartphones out in the world today. Thankfully, the company notified Qualcomm of the vulnerability in October, which then tracked it as CVE-2020-11292 and labeled it a “high rated vulnerability.”
Patches were sent to smartphone makers in the fall of 2020, according to a Qualcomm statement sent to multiple outlets including The Record and Bleeping Computer.
The chip has been in cellphones and smartphones since the 1990s and has been continuously updated over the years to support the transitions from 2G to 3G, 4G, and now 5G. Samsung, Xiaomi, Google, and One Plus are just a few of the smartphone brands leveraging the chip.
Setu Kulkarni, vice president of strategy at WhiteHat Security, said this was one of many examples of the “supply chain” nature of the problem plaguing mobile phone vendors, Qualcomm, the Android OS, and the apps on the Play Store.
“Making it all work together requires careful synchronization in terms of versions and supported capabilities between the mobile phones, the chipset, the OS, and the apps — and that’s where the cracks are for vulnerabilities to slip through,” Kulkarni said. “Especially since there is no one throat to choke in these kinds of issues.”
Even though Qualcomm has patched the issue, Kulkarni questioned who is holding the other parties in the ecosystem to account for the issue.
The proliferation of Android-based devices presents a scalability challenge to deploy the fix and at the same time the end-users are completely unable to understand the issue, Kulkarni added.
“Which customer will understand the issue in the chipset? One may wonder, is that why Apple is increasingly becoming a closed ecosystem? With control over the device, the chipset, the OS, and the highly regulated App Store — does Apple stand a better chance to protect its customers in such events? Time will tell,” Kulkarni explained.