To cut off all nearby phones with these Chinese chips, this is the bug to exploit
Android patches incoming for NAS-ty memory overwrite flaw
A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.
The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.
Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.
"We scanned NAS message handlers within a short period of time and found a vulnerability which can be used to disrupt the device's radio communication through a malformed packet," the researchers wrote in a detailed and fascinating advisory this week.
"A hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location." They stressed that the flaw was in the firmware of the UNISOC chipset and not the Android operating system.
UNISOC is a 21-year-old chip designer based in China that spent the first 17 years of life known as Spreadtrum Communications, and that by 2011 was supplying chips for more than half of the mobile phones in the country. In 2018, the company changed its name to UNISOC. The chips are found mostly in smartphones in Asia and Africa due to the low prices of its silicon.
According to market analyst firm Counterpoint, UNISOC is the fourth-largest smartphone chip house in the world, behind MediaTek, Qualcomm and Apple.
- Predator spyware sold with Chrome, Android zero-day exploits to monitor targets
- Upgrading to Android 12.1 ... in Windows 11: Telemetry disabled by default
- Safari is crippling the mobile market, and we never even noticed
- Ad-tech firms grab email addresses from forms before they're even submitted
This isn't the first time UNSOC's tech has come under scrutiny. In March, Kryptowire, a mobile security and privacy monitoring company, announced it had found a vulnerability that, if exploited, would let bad actors take control of a device's functionality and the user data within it.
"The vulnerability allows intruders to access call and system logs, text messages, contacts, and other private data, video record the device's screen or use the external-facing camera to record video, or even take control of the device remotely, altering or wiping data," Kryptowire researchers said, adding that in December 2021 they disclosed the vulnerability to UNISCO and affected device manufacturers and carriers.
In this latest discovery, Check Point researchers reverse-engineered UNISOC's LTE protocol stack implementation. LTE networks comprise multiple components and protocols that form the evolved packet system (EPS) architecture.
In its tests, Check Point used a Motorola Moto G20 device with the Android January update. The smartphone is based on UNISOC's T700 chip.
The Check Point analysts focused on the information exchanged between the cellular network's equipment and people's devices as part of their everyday operation to stay connected and communicate. This exchanged data is contained in NAS messages. It turns out a specific type of packet – an EPS mobility management (EMM) packet – in a NAS message can trigger programming errors in the firmware's NAS handlers.
"The NAS protocol operates with high-level structures," the researchers wrote. "Therefore, it does not take much effort for an attacker to create a malformed EMM packet and send it to a target device. When a new NAS message arrives, the UNISOC modem parses it and creates internal objects based on the received data."
An attacker could thus, with a suitable broadcast resulting in a bad NAS message, remotely crash the modem, which could result in a denial-of-service – or possibly remote code execution, enabling the miscreant to get some control over the devices.
Check Point disclosed the flaw in May – which is tracked as CVE-2022-20210 – to UNISOC, and the chip biz produced a patch later that month. According to the cybersecurity company, Google will roll out this fix in its upcoming Android Security bulletin. Check Point recommended users update their operating system on their UNISOC-powered devices to the latest version, if possible.
"The smartphone modem is a prime target for hackers as it can be easily reached remotely through SMS or radio packet," the researchers wrote.
The result can be seen in the booming mobile security market, which analyst firm Allied Market Research said will grow from $3.3 billion in 2020 to $22.1 billion in 2030, driving in large part to the increase in online mobile payments, the use of mobile devices for tasks that involve sensitive information – such as banking information and credit card and social security numbers – and the ongoing adoption of bring-your-own-device (BYOD) policies in the workplace. ®