To cut off all nearby phones with these Chinese chips, this is the bug to exploit

Android patches incoming for NAS-ty memory overwrite flaw

A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.

The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.

Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.

"We scanned NAS message handlers within a short period of time and found a vulnerability which can be used to disrupt the device's radio communication through a malformed packet," the researchers wrote in a detailed and fascinating advisory this week.

"A hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location." They stressed that the flaw was in the firmware of the UNISOC chipset and not the Android operating system.

UNISOC is a 21-year-old chip designer based in China that spent the first 17 years of life known as Spreadtrum Communications, and that by 2011 was supplying chips for more than half of the mobile phones in the country. In 2018, the company changed its name to UNISOC. The chips are found mostly in smartphones in Asia and Africa due to the low prices of its silicon.

According to market analyst firm Counterpoint, UNISOC is the fourth-largest smartphone chip house in the world, behind MediaTek, Qualcomm and Apple.

This isn't the first time UNSOC's tech has come under scrutiny. In March, Kryptowire, a mobile security and privacy monitoring company, announced it had found a vulnerability that, if exploited, would let bad actors take control of a device's functionality and the user data within it.

"The vulnerability allows intruders to access call and system logs, text messages, contacts, and other private data, video record the device's screen or use the external-facing camera to record video, or even take control of the device remotely, altering or wiping data," Kryptowire researchers said, adding that in December 2021 they disclosed the vulnerability to UNISCO and affected device manufacturers and carriers.

In this latest discovery, Check Point researchers reverse-engineered UNISOC's LTE protocol stack implementation. LTE networks comprise multiple components and protocols that form the evolved packet system (EPS) architecture.

In its tests, Check Point used a Motorola Moto G20 device with the Android January update. The smartphone is based on UNISOC's T700 chip.

The Check Point analysts focused on the information exchanged between the cellular network's equipment and people's devices as part of their everyday operation to stay connected and communicate. This exchanged data is contained in NAS messages. It turns out a specific type of packet – an EPS mobility management (EMM) packet – in a NAS message can trigger programming errors in the firmware's NAS handlers.

"The NAS protocol operates with high-level structures," the researchers wrote. "Therefore, it does not take much effort for an attacker to create a malformed EMM packet and send it to a target device. When a new NAS message arrives, the UNISOC modem parses it and creates internal objects based on the received data."

An attacker could thus, with a suitable broadcast resulting in a bad NAS message, remotely crash the modem, which could result in a denial-of-service – or possibly remote code execution, enabling the miscreant to get some control over the devices.

Check Point disclosed the flaw in May – which is tracked as CVE-2022-20210 – to UNISOC, and the chip biz produced a patch later that month. According to the cybersecurity company, Google will roll out this fix in its upcoming Android Security bulletin. Check Point recommended users update their operating system on their UNISOC-powered devices to the latest version, if possible.

"The smartphone modem is a prime target for hackers as it can be easily reached remotely through SMS or radio packet," the researchers wrote.

The result can be seen in the booming mobile security market, which analyst firm Allied Market Research said will grow from $3.3 billion in 2020 to $22.1 billion in 2030, driving in large part to the increase in online mobile payments, the use of mobile devices for tasks that involve sensitive information – such as banking information and credit card and social security numbers – and the ongoing adoption of bring-your-own-device (BYOD) policies in the workplace. ®

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading

Biting the hand that feeds IT © 1998–2022