Skip to content

Qualcomm’s mobile station modem bug puts user privacy at risk; fix issued

A vulnerability in Qualcomm’s mobile station modem (MSM) that’s used in approximately one-third of Android smartphones, including high-end 5G phones from Google, OnePlus, Samsung, Xiaomi and LG, could potentially allow attackers to access messages and audio of phone conversations.

Researchers at Check Point discovered a critical flaw in Qualcomm’s mobile station modem, which, if exploited, would allow a cybercriminal to inject malicious code into Android phones, using the OS as an entry point, and gain access to SMS, call history and phone conversations of Android users in real-time.

The bug could also allow an attacker to unlock a mobile device’s SIM, which will allow them to bypass limitations imposed by service providers.

The mobile station modem is responsible for enabling features like voice, SMS and recording on Android devices.

The issue was confirmed by Qualcomm and defined as a high-rated vulnerability (CVE-2020-11292). The chipset manufacturer has already patched the issue from their end and has sent the fixes to respective OEMs. It’s recommended that users update their devices as soon as one is available.

Researchers used Pixel 2 and Pixel 4 to find the bugs in Qualcomm’s MSM

An attacker can inject a cloaked malicious code using a malicious app installed on the phone to access vital phone functions.

The researchers fuzzed MSM data services to find a patch for the bug in Qualcomm’s real-time OS, directly from Android.

“CPR found that if a security researcher want to implement a modem debugger to explore the latest 5G code, the easiest way to do that is to exploit MSM data services through QMI so could a cybercriminal of course. During our investigation, we discovered a vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor,” researchers at Check Point wrote in a blog post.

“Our hope is that finding this vulnerability will allow a much easier inspection of the modem code by security researchers, a task that is notoriously hard to do today.”

In the News: TikTok expands third-party integrations with Sound and Login kits

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. If you're running an Adblocker, we humbly request you to whitelist us.

Share on facebook
Share on whatsapp
Share on twitter
Share on reddit
Share on linkedin
Share on pocket
Share on pinterest
Share on telegram
Share on stumbleupon
Share on digg
Share on tumblr
Share on email
Share on skype
Share on xing
Share on vk
Share on odnoklassniki
Share on mix








>