The greatest evergreen target of Hackers is ‘Android device’. Yes, this was tried to be exploited through MSM but New Qualcomm Chip Bug could let the Hackers spy on Android devices now.
What is MSM?
Mobile Station Modem (MSM) is an ongoing series of a 2G/3G/4G/5G-capable system on chips (SoC) designed by Qualcomm starting in the early 1990s. But these 3GPP protocols are not the only entry point into the modem. Android also can communicate with the modem processor through the Qualcomm MSM Interface (QMI).
What is QMI?
QMI is a proprietary protocol used to communicate between software components in the modem and other peripheral subsystems. QMI communication is based on a client-server model, where clients and servers exchange messages in QMI wire format. A module can act as a client of any number of QMI services and a QMI service can serve any number of clients. In the context of Qualcomm SoC, which includes Android smartphones, QMI ports are exposed to the Linux-running application CPU core inside the chip. There can be many different transport mechanisms, but in modern integrated chips, the primary one used is the Shared Memory Device (SMD).
Many services are exposed via the QMI protocol stack on one or many QMI ports. Wireless data service (WDS)
- Device management service
- Network access service (NAS)
- Quality of service
- Wireless message service (WMS)
- Authentication service
- Atcop service
- Voice service
- Card apps toolkit service (CAT)
- Phone book manager service (PBM)
- Wireless data administrative service
OEMs can also add their services to those provided by Qualcomm by default. Note that the fact that a large number of QMI services are written by multiple authors makes them a good target for security research.QMI communication is of the request/response type. Each service registers itself in the QuRT and then waits for requests/messages in a queue. For example, NAS supports more than 130 different messages.
American fuzzy lop (AFL) in combination with QEMU to fuzz the handler functions on Ubuntu PC.
The qmi_voicei_srvcc_call_config_req function begins its execution by parsing the TLV payload. It does not use the QMI framework to convert the payload to a C structure.
If the type of a TLV packet is equal to 1, the value is interpreted as the following:
- The number of calls (1 byte).
- An array of call contexts (0x160 bytes per call).
The patch timeline:
|October 8, 2020||Bug report and POC sent to Qualcomm.|
|October 8, 2020||Qualcomm acknowledges the report and assigns it QPSIIR-1441 for tracking.|
|October 15, 2020||Qualcomm confirms the issue and names it a High rated vulnerability.|
|February 24, 2021||Check Point requests the CVE-ID for this issue and acknowledges that the disclosure date is April 2021.|
|February 24, 2021||Qualcomm informs Check Point that the CVE-ID will be CVE-2020-11292.|
|May 6, 2021||Public disclosure.|
QMI is present on approximately 30% of all mobile phones in the world If a researcher wants to implement a modem debugger to explore the latest 5G code, the easiest way to do that is to exploit MSM data services through QMI. An attacker can use this vulnerability to inject malicious code into the modem from Android. This gives the attacker access to the user’s call history and SMS, as well as the ability to listen to the user’s conversations.