One Billion Android Smartphones Vulnerable to Eavesdropping
A large vulnerability in Qualcomm's component security systems has been discovered. The consequence of the security hole could expose many Android smartphones to eavesdropping.
- Check Point Reasearch has discovered a vulnerability in security measures of Qualcomm's chips;
- The problem may affect up to one billion devices worldwide;
- The vulnerability can be exploited to e.g. listen to conversations on a hacked phone.
Cybersecurity company Check Point Research discovered a vulnerability in Qualcomm components. As it turns out, the scale of the problem is huge, because Qualcomm's components are used in 1/3 of the world's smartphones, or roughly one billion Android devices. The gamp in the security systems can be used by hackers, among other parties, to get our SMS and call history, and even eavesdrop on our voice conversations or unlock the SIM card. The problem may affect all Android smartphones that have a chip model vulnerable to attack, including devices from Samsung, LG, Xiaomi, OnePlus, as well as Pixel from Google, especially when it comes to flagship models.
The source of the problem is the MSM (Mobile Station Modem) chip responsible for managing the device and wireless networks like 4G, 5G or LTE. Hackers may use QMI (Qualcomm MSM Interface) protocol that allows for communication between different MSM components. The QMI voice service can be used by attackers to inject malicious code into QuRT (Qualcomm's real-time OS), and take control of the aforementioned functions of our smartphone. The vulnerability can be a threat to up to 30% of all smartphones in the world.
Fortunately, Qualcomm is aware of the scale of the problem - already in December 2020 the company conducted the first patching of security systems. Unfortunately, it was not specified which smartphone models were included in this process. More information about the vulnerability is expected to be given in the June Android Security Bulletin, number CVE-2020-11292. It is not yet known when the next security patches will be introduced, but it is likely that flagships will be "patched" first, while lower and mid-range devices will have to wait longer.