Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Millions of Budget Smartphones With UNISOC Chips Vulnerable to Remote DoS Attacks

Millions of budget smartphones that use UNISOC chipsets could have their communications remotely disrupted by hackers due to a critical vulnerability discovered recently by researchers at cybersecurity firm Check Point.

Millions of budget smartphones that use UNISOC chipsets could have their communications remotely disrupted by hackers due to a critical vulnerability discovered recently by researchers at cybersecurity firm Check Point.

Chipsets made by UNISOC, one of China’s largest mobile phone chip designers, are widely used in budget smartphones, particularly ones sold in Asia and Africa. The company was called Spreadtrum until 2018, when it rebranded as UNISOC.

At the end of 2021, UNISOC had an 11% share of the smartphone application processor market, being ranked the fourth after Mediatek, Qualcomm and Apple.

Researchers at Check Point have analyzed UNISOC modem firmware and discovered that it’s affected by a serious vulnerability that can allow an attacker to launch a remote denial-of-service (DoS) attack against a device by using a specially crafted packet.

“We reverse-engineered the implementation of the LTE protocol stack and discovered a vulnerability that could be used to deny modem services and block communications,” the company explained in a blog post.

It warned, “A hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location.”

Check Point has made available the technical details of the vulnerability, which is tracked as CVE-2022-20210.

Several of Google’s Android updates released in the past year included patches for UNISOC vulnerabilities. Check Point says Google plans on addressing this latest flaw with an upcoming Android update.

The vendor, which gave the vulnerability a CVSS score of 9.4 (critical severity), patched it in May, the same month it learned of its existence.

In March 2022, mobile security company Kryptowire reported that smartphones with UNISOC chips were affected by a critical vulnerability related to a pre-installed app (CVE-2022-27250), which could allow a malicious application to take control of user data and device functionality.

Related: Microsoft Finds Major Security Flaws in Pre-Installed Android Apps

Related: Researchers Find Pre-Installed Malware on More Android Phones in U.S.

Related: Triada Trojan Pre-Installed on Low Cost Android Smartphones

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.