Billions of Android devices are exposed to a vulnerability in Qualcomm’s Mobile Station Modem (MSM) chip
A vulnerability in Qualcomm’s Mobile Station Modem (MSM) chip– installed in around 30% of the world’s mobile devices – can be exploited from within Android.
MSM is of great interest to both hackers and researchers looking for ways it might be exploited remotely by sending an SMS or a crafted radio packet that communicates with the device and can take control of it. But MSM can also be approached from inside the device – and this was the route chosen by researchers at Check Point Research (CPR).
MSM is managed within an Android device by the Qualcomm real-time OS, which is protected by the TrustZone. It cannot be debugged or dumped even on rooted devices, leaving the only possible route to the MSM code via a vulnerability.
CPR fuzzed MSM data services looking for a way to patch QuRT directly from Android.
QMI is Qualcomm’s proprietary protocol used to communicate between software components in the modem and other peripheral subsystems. The CPR researchers discovered that QMI functions use the Type-length-Value (TLV) format to carry their payload.
CPR used the Quick Emulator Hexagon to fuzz the QuRT handler functions – and discovered a heap overflow vulnerability in the qmi_voicei_srvcc_call_config_req handler (0x64) of the voice service.
“To process this packet,” explain the researchers, “the handler allocates 0x5B90 bytes on the modem heap, extracts the number of calls from the payload into the allocated buffer at offset 0x10, and then loops to fetch all call contexts into the buffer starting at offset 0x12. Due to the lack of checking for the maximum number of calls, it is possible to pass the value 0xFF in the number of calls field and thus overwrite in the modem heap up to 0x12 + 0x160 * 0xFF – 0x5B90 = 0x10322 bytes.”
The purpose of the research was to find rather than exploit a vulnerability. The intent was to discover vulnerabilities that other researchers could use to examine the MSM chip. A vulnerability was found, so exploitation was not explored by CPR.
A bug report and POC were sent to Qualcomm on October 8, 2020. One week later, Qualcomm confirmed the issue and classified it as a high rated vulnerability. In February, it was given the CVE-ID of CVE-2020-11292. Qualcomm has notified the relevant vendors, and developed a patch.
The potential for this vulnerability is huge. Bad actors will need to compromise the device first, but will then be able to do things previously impossible. “A normal application, or even a ‘root’ application which has received highest privileges from the Android operating system,” Yaniv Balmas, Head of Cyber Research at Check Point told SecurityWeek, “is still unable to ‘normally’ fully interact with the MSM, but only through very small and defined channels.” The bad actor doesn’t have the ability to inspect the MSM, but merely scratch its surface. “The vulnerability we found,” he continued, “may allow full inspection of the MSM, and is the equivalent of running your own application, or research/inspection tools on the MSM itself.”
The likelihood of a globally effective patch is possible but will take time with no guarantees. Three primary elements could be considered responsible: Qualcomm, the Android vendors, and Google.
“Qualcomm is actually the first link in the chain here,” said Balmas “Qualcomm needs to fix the issue in its chips, or in the firmware running on it, and then ship it out to all its customers; that is, the mobile phone vendors.”
The mobile phone vendors, he continued, need to get the fixes from Qualcomm, “and make sure they are integrated into their entire line of phones, including those that are still in the assembly line, and those that are already circulating in the market.” So, although Qualcomm can fix the issue – and indeed already has – being certain that the fix has reached your own phone is far from certain.
Could Google fix it on Android for everyone? “The general answer,” said Balmas, “is most probably – no.” Balmas believes it will take a while before the Qualcomm fix reaches all phones, but, he said, “As time progresses, we will hopefully get there.”
Even with the fix in place, it is probably not the end of the issue. “Even inspection of an older model of modem chips could still prove to be very valuable. Modem chips are complex, and contain hundreds of thousands of lines of code. Consequently, you can definitely expect vulnerabilities found on 2–3-year-old models to still exist today on newer models.” Getting hold of an old, unpatched Android phone would not be difficult.
So, who is likely to use this vulnerability? Balmas is somewhat diplomatic in his answer: “Researchers will use this vulnerability to further explore MSM and find additional vulnerabilities in it. These researchers might be good or bad – which mainly depends on your point of view, of course. However, I strongly believe that the research community will greatly benefit from this – and at the end of the day, end-users will find themselves more protected than before, even though this can also be misused to a certain extent.”
The inference from Balmas’ comments is that you may not be safe even if you know your own Android has received the Qualcomm patch. It is possible that ‘researchers’ could use the Check Point research to explore an old model and find new vulnerabilities in the MSM that still persist in newer models. Good researchers will only be looking for the existence of vulnerabilities – bad researchers will be looking to exploit those vulnerabilities. The bad actors will need to install malware to achieve this – so the only cast iron defense is to not allow your Android mobile phone to be compromised in the first place.