The folks over at Israeli cybersecurity firm CheckPoint have discovered a vulnerability inside chips made by Qualcomm that could allow a malicious party to tap into your phone calls and text messages. The flaw was discovered in Qualcomm’s Mobile Station Modems (MSM), a series of system on chips used in mobile devices that allows cellular connectivity (and a host of other feature such as hi-def recording) on over 40% of phones in the world. In this case, phones that were left vulnerable were those that employ a proprietary protocol called QMI (Qualcomm MSM Interface) which allows communication between MSM software components and other subsystems on a phone.
Checkpoint notes that the vulnerability in Qualcomm’s chip could allow a hacker to inject a malicious code into the modem by various means such as an app to access users’ call history and SMS. It could even be exploited to listen to your conversations. The experts at Checkpoint estimate that QMI can be found on over 30% of all phones in the world, which means billions of devices were exposed to a possible attack. In addition to it, the flaw could also have been exploited to unlock the SIM being used on a phone.
[CPR-Zero] CVE-2020-11292 (Qualcomm Data Modem): Buffer-Overflow in the QMI voice service API exposed by the modem to HLOShttps://t.co/Bkfw0iDHte
— Check Point Research (@_CPResearch_) May 6, 2021
“We discovered a vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor. An attacker can use such a vulnerability to inject malicious code into the modem from Android. This gives the attacker access to the user’s call history and SMS, as well as the ability to listen to the user’s conversations,” says the blog post.
In a research note, CheckPoint reveals that it informed Qualcomm about the MSM vulnerability in October last year. Qualcomm subsequently notified smartphone vendors about the issue and patches to fix the flaw started rolling out within the next few months. However, it is unclear what percentage of phones have received the necessary software updates to fix the security flaw till date. The cybersecurity firm revealed that Qualcomm MSM is present inside phones offered by the likes of OnePlus, Google, LG, and Samsung. Classified as CVE-2020-11292, the vulnerability will also be disclosed in Google’s official Android security bulletin for June.