Qualcomm’s Mobile Station Modems (MSM) had a vulnerability that could have allowed attackers to access a user’s SMS, audio of phone conversations, and more. The vulnerability was discovered by research firm Check Point Research and it found over 400 vulnerabilities on Qualcomm’s Snapdragon Digital Signal Processor (DSP) chip in August last year. With a vast number of Android phones using Qualcomm SoCs, this would have put a mind boggling number of users’ data at risk. Qualcomm has reportedly released a patch, and Check Point Research also worked with relevant government officials as well as mobile vendors to make smartphones safer.
MSM, Check Point Research explains in a blog post, is a series of chips embedded in mobile devices and supports advanced features like 5G, 4G LTE, as well as high definition recording. It has been present in high-end phones since early 1990s. Android phones have a proprietary protocol called Qualcomm MSM Interface (QMI) that allows software components in the MSM to communicate with the cameras, fingerprint scanners, and other subsystems. Check Point Research found a vulnerability that could allow attackers to control the modem and inject malicious code into the modem from Android devices.
This would give attackers access to the user’s call history and SMS records, as well as the ability to listen in on the user’s conversations. It can also be used to unlock the SIM and bypass the limitations set by service providers. Check Point Research says that according to Counterpoint, QMI is present on around 30 percent of all mobile phones in the world. The vulnerability has been detailed in Check Point’s blog.
The vulnerability was discolored to Qualcomm by Check Point Research and was classified as a high-rated vulnerability — CVE-2020-11292. Relevant mobile vendors were informed as well. According to a report by Arstechnica, a Check Point spokesman said that Qualcomm has released a patch for the vulnerability. However, it is unclear whether vulnerable Android devices have been fixed. Qualcomm reportedly said in a statement that fixes were made available to OEMs in December 2020 and consumers are recommended to update their devices as patches become available.
Check Point also recommends users update their devices to the latest version of the OS, refrain from installing apps from third party stores, and enable ‘remote wipe’ capability on all mobile devices.