A flaw in Qualcomm modems allows hackers to record their phone calls

11. 05. 2021 Tuesday / By: Robert Denes / The Key / Exact time: BST / Print this page

A new report from security firm Check Point Research says Qualcomm’s mobile station modem (MSM) could be exploited by hackers to record phone calls and more. MSM dates back to the early 1990s and was used in 2G / 3G / 4G and even 5G devices and shows a serious vulnerability that can be hacked remotely as easily as sending an SMS.

From now on, offenders can listen to your calls, read their text messages, and even unlock your SIM card to circumvent the restrictions imposed by service providers. Nearly 30% of all smartphones are reported to use Qualcomm chipsets, making them a potential target for exploitation. For now, all users can do is keep their devices with the latest security patch.

But 3GPP protocols are not the only entry point to the modem. Android can also communicate with the modem processor via the Qualcomm MSM interface (QMI).

We discovered a vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor. An attacker can use such a vulnerability to inject malicious code into the modem from Android. This gives the attacker access to the user’s call history and SMS, as well as the ability to listen to the user’s conversations. A hacker can exploit the vulnerability to unlock the SIM, thereby overcoming the limitations of the service providers imposed on the mobile device. - Check Point Research

MSM is managed by Qualcomm Real-Time Operating System (QuRT), which cannot be debugged or discarded even on rooted Android devices. The integrity of QuRT is ensured by TrustZone. There is only one way to dynamically test your modem, namely to use the vulnerability. There have been several successful attempts to fix QuRT by exploiting vulnerabilities in the Qualcomm Trusted Execution Environment (QTEE) or Linux kernel. The latest compromised SoC is the MSM8998 (Pixel 2).

In our research, we accelerated MSM data services to find ways to improve QuRT on modern SoCs directly from Android.

QMI is a proprietary protocol used to communicate between modem software components and other peripheral subsystems. QMI communication is based on a client-server model where clients and servers exchange messages in QMI wired format. A module can act as a client for any number of QMI services, and a QMI service can serve any number of clients. In the context of Qualcomm SoC, which also includes Android smartphones, the QMI ports are exposed to the Linux entry application inside the chip. There can be many delivery mechanisms, but in shared integrated chips, the shared memory device (SMD) is primary.

QMI offers a variety of services that are exposed through a QMI protocol stack on one or more QMI ports. The SM8150 SoC (Pixel 4) modem exports about 40 features, including:

  • Wireless Data Service (WDS)
  • Asset management service
  • Network Access Service (NAS)
  • Quality of service
  • Wireless Messaging Service (WMS)
  • Authentication service
  • Atcop service
  • Voice service
  • Card apps toolkit service (CAT)
  • Phonebook Management Service (PBM)
  • Wireless data administration service
  • By default, OEMs can also add their own services to the services provided by Qualcomm. For example, LG will add SIM unlock handling to LGE resim serviceT-Mobile phones.

    According to an official statement to Tom’s Guide, Qualcomm had already provided software fixes to exploit MSM as early as December 2020, and subsequent security fixes should have resolved the issue. None of the Android security bulletins mentioned how to fix the bug. There is talk that Google is publicly addressing exploit fixes in the June security patch.

    Well, of course, there are Nokia devices that are made with Qualcomm chips, so we can classify these devices in the dangerous category. in front of your computer. Devices with a Qualcomm chip include the Nokia 7.3, Nokia 9.3 PureView, Nokia 6.4, Nokia 8, Nokia 5.3, Nokia 8.3 5G and the recently introduced Nokia X20.

    read more

    Via Link




    Canning Town, Barking Road
    London E13 8EQ
    United Kingdom