Vulnerability

New Qualcomm Chip Bug Could Let Hackers Spy On Android Devices

The greatest evergreen target of Hackers is ‘Android device’.  Yes, this was tried to be exploited through MSM but New Qualcomm Chip Bug could let the Hackers spy on Android devices now.

What is MSM?

Mobile Station Modem (MSM) is an ongoing series of a 2G/3G/4G/5G-capable system on chips (SoC) designed by Qualcomm starting in the early 1990s. But these 3GPP protocols are not the only entry point into the modem. Android also can communicate with the modem processor through the Qualcomm MSM Interface (QMI).

What is QMI?

QMI is a proprietary protocol used to communicate between software components in the modem and other peripheral subsystems. QMI communication is based on a client-server model, where clients and servers exchange messages in QMI wire format. A module can act as a client of any number of QMI services and a QMI service can serve any number of clients. In the context of Qualcomm SoC, which includes Android smartphones, QMI ports are exposed to the Linux-running application CPU core inside the chip. There can be many different transport mechanisms, but in modern integrated chips, the primary one used is the Shared Memory Device (SMD).

Many services are exposed via the QMI protocol stack on one or many QMI ports. Wireless data service (WDS)

  • Device management service
  • Network access service (NAS)
  • Quality of service
  • Wireless message service (WMS)
  • Authentication service
  • Atcop service
  • Voice service
  • Card apps toolkit service (CAT)
  • Phone book manager service (PBM)
  • Wireless data administrative service

OEMs can also add their services to those provided by Qualcomm by default. Note that the fact that a large number of QMI services are written by multiple authors makes them a good target for security research.QMI communication is of the request/response type. Each service registers itself in the QuRT and then waits for requests/messages in a queue. For example, NAS supports more than 130 different messages.

American fuzzy lop (AFL) in combination with QEMU to fuzz the handler functions on Ubuntu PC.

Modem fuzzing scheme

CVE-2020-11292

The qmi_voicei_srvcc_call_config_req function begins its execution by parsing the TLV payload. It does not use the QMI framework to convert the payload to a C structure.

If the type of a TLV packet is equal to 1, the value is interpreted as the following:

  • The number of calls (1 byte).
  • An array of call contexts (0x160 bytes per call).

The patch timeline:

October 8, 2020Bug report and POC sent to Qualcomm.
October 8, 2020Qualcomm acknowledges the report and assigns it QPSIIR-1441 for tracking.
October 15, 2020Qualcomm confirms the issue and names it a High rated vulnerability.
February 24, 2021Check Point requests the CVE-ID for this issue and acknowledges that the disclosure date is April 2021.
February 24, 2021Qualcomm informs Check Point that the CVE-ID will be CVE-2020-11292.
May 6, 2021Public disclosure.

Conclusion

QMI is present on approximately 30% of all mobile phones in the world If a researcher wants to implement a modem debugger to explore the latest 5G code, the easiest way to do that is to exploit MSM data services through QMI. An attacker can use this vulnerability to inject malicious code into the modem from Android. This gives the attacker access to the user’s call history and SMS, as well as the ability to listen to the user’s conversations.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

AT&T Massive Data Breach – Affecting Nearly All Customers’ Call & Text Records

AT&T, one of the largest telecommunications companies in the United States, has disclosed a significant…

7 hours ago

FishXProxy Fuels Phishing Attacks with Clever Deceptive Attacks

Imagine receiving an email that looks legitimate, down to the last detail. This is the…

9 hours ago

Beware of Phishing Attack that Abuses SharePoint Servers

A massive phishing campaign exploits Microsoft SharePoint servers to host malicious PDFs containing phishing links.…

11 hours ago

Apple Warns of Users in 98 Countries of Targeted Spyware Attacks

Apple has alerted iPhone users in 98 countries about potential mercenary spyware attacks. This marks…

13 hours ago

Citrix NetScaler ADC & Gateway Impacted by regreSSHion RCE Vulnerability

Qualys discovered a critical remote unauthenticated code execution (RCE) vulnerability, CVE-2024-6387, in OpenSSH’s server (sshd).…

13 hours ago

4000+ Domains Used By FIN7 Actors Mimic Popular Brands

Russian-linked FIN7 (aka Sangria Tempest, ATK32, Carbon Spider, Coreid, ELBRUS, G0008, G0046, and GOLD NIAGARA)…

13 hours ago