Qualcomm Snapdragon 855 modem code flaw exposed Android smartphones to possible snooping

Good thing researchers spotted it, no evidence of exploit in the wild

A heap overflow vulnerability in Qualcomm's Snapdragon 855 system-on-chip modem firmware, used in Android devices, could be exploited by baddies to run arbitrary code on unsuspecting users' devices, according to Check Point.

The software bug, tracked as CVE-2020-11292, can be abused to trigger a heap overflow in devices that use a Qualcomm Mobile Station Modem (MSM) chip, thanks to some in-depth jiggery-pokery in the Qualcomm MSM Interface (QMI) voice service API.

"If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them access to SMS messages and audio of phone conversations," said some not-at-all-excitable researchers from Israeli security firm Check Point in a blog post today.

The vuln, with a CVSSv3 score of 7.8, was disclosed and patched in autumn last year, Qualcomm told The Register. Fixes were made available to handset makers from December onwards. The chipmaker added that so far it has seen no evidence that the vuln was abused in the wild.

Around 30 per cent of all mobile phones in the world ran Qualcomm chips by the end of 2020, according to research consultancy Counterpoint

QMI is a Qualcomm protocol that handles communications between a mobile handset's modem and other peripheral subsystems that humans can jab, poke and wipe their dead fingerprints across. QMI exposes logical ports to the host device CPU through which software on it communicates with the device's modem, and thence the outside world.

It's a big target for malicious people: if you can compromise the modem firmware to give you an unencrypted feed of traffic going up and down the radio, you can (eventually) listen in on the device's user. Previous research from 2019 achieved this goal against the Snapdragon 835, 845 and 855 chips by entering via Wi-Fi controller firmware, exploiting two CVE-rated vulns in doing so.

Check Point said its researchers had fuzzed a Snapdragon SM8150 (aka Snapdragon 855) SoC from a Google Pixel 4 Android handset. The heap overflow its researchers were able to induce is of interest because it offers a way into the device that could potentially be exploited by cybercriminals to compromise software or apps running on it: as the infosec company put it, once a crim has access to the MSM through QMI, they can patch it to force it to grant them access to modem traffic.

Malicious people, in Check Point's words, could use this vulnerability "to inject malicious code into the modem from Android, giving them access to the device user's call history and SMS, as well as the ability to listen to the device user's conversations."

A Qualcomm spokesman told The Register: "We commend the security researchers from Check Point for using industry-standard coordinated disclosure practices. Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available."

Check Point said it hoped the research would "be a potential leap" allowing any old infosec bod to inspect Qualcomm MSM firmware, something that QMI has, so far, seemingly staved off. ®

Similar topics

Narrower topics

Other stories you might like

  • Qualcomm sampling Wi-Fi 7 silicon for next-gen access points
    OEMs able to develop new products with aim of 10Gbps-plus throughput

    Qualcomm is sampling its Wi-Fi 7 Networking Pro Series chips aimed at throughput of more than 10Gbps for enterprise access points, gateways, and premium home routers.

    The third generation of the chipmaker's Networking Pro Series platforms is set to "initiate a new era" of 10Gbps Wi-Fi, Qualcomm claimed, stating that the new portfolio is optimized for multi-user environments and low CPU utilization to power collaboration, telepresence, and metaverse applications for both home and enterprise environments.

    Sampling means that the Networking Pro silicon is available to Qualcomm's OEM customers so they can develop and test the Wi-Fi 7 products that will ship to end users at some point. It isn't clear when buyers will actually be able to get their hands on kit to deploy, although Qualcomm previously said it expects to see Wi-Fi 7 products hit the market in 2023.

    Continue reading
  • Volkswagen to put Qualcomm tech under the hood across all brands
    CEO says Intel may yet end up inside, through its Mobileye tech

    Volkwagen Group’s automotive software subsidiary CARIAD has picked Qualcomm to provide system-on-chip modules (SOCs) for its automated driving software platform.

    The company has chosen Snapdragon Ride Platform portfolio as its hardware, projected to be available as of “the middle of the decade” according to CARIAD.

    Volkwagen CEO Herbert Diess said its project Trinity – the next generation of electric vehicles which will require "high performance chips" – will be ready for Level 4 automated driving in 2026. Level 4 automation means cars can handle most tasks without human intervention, but people can still take the wheel if they wish.

    Continue reading
  • Intel acquires graphics tech biz founded by ex-AMD, Qualcomm engineers
    Demoscene-steeped Siru is on not its Second but, what, Third or Fourth Reality, now?

    Intel has acquired a graphics technology firm founded by ex-Qualcomm mobile GPU engineers whose previous company, Bitboys, was once thought of as a front-runner of desktop graphics.

    Announced on Tuesday, Intel's latest acquisition is Siru Innovations, a Finnish firm focused on developing software and silicon building blocks, known as IP, for GPUs made by other companies. The Siru team will join Intel's fledgling Accelerated Computing Systems and Graphics Group.

    Balaji Kanigicherla, head of the Custom Compute Group within Intel's graphics business unit, said on LinkedIn that Siru's expertise in architecture, software, modeling and hardware implementation will aid Intel's accelerated computing efforts in various high-growth areas, including buzzy terms like blockchain and metaverse.  

    Continue reading
  • Semiconductor firms: China lockdowns play havoc with supply and demand
    Some report multimillion-dollar hits while others offer more rosy takes amid component drought

    Lockdowns in China have been disrupting supply and demand for a variety of semiconductor companies amid broader challenges created by the ongoing global chip shortage.

    Several publicly traded semiconductor companies discussed the impact of COVID-19 lockdowns in China at varying lengths during earning calls this week with analysts while also pointing to other sources of disruption, including an earthquake in Japan and a power line fire in France.

    For instance, Texas Instruments cut its revenue forecast by 10 percent for its second quarter, which ends in July, because multiple Chinese customers have not been able to receive orders due to lockdowns, company executives said during its Tuesday earnings call [PDF].

    Continue reading

Biting the hand that feeds IT © 1998–2022