头图

According to a security researcher, Qualcomm chips discovered a vulnerability, affecting millions of mobile phones worldwide.

Thursday, Checkpoint security researcher Slava Makkaveev published blog, called a loophole Qualcomm MSM (mobile modem) interface "can be used to control the modem ' . Attackers can use this vulnerability to inject malicious code to attack Android users, obtain the user's call records and SMS records, and can also eavesdrop on the user's calls. Hackers can use this vulnerability to unlock the SIM card, thereby escaping the restrictions set by the service provider on the mobile device.

MSM is a chip designed by Qualcomm for high-end mobile phones in the early 1990s and supports advanced functions such as 4G LTE. The chip has been widely used in mobile phone devices since the 1990s, and has been continuously updated, and has undergone a transition from 2G, 3G, 4G to 5G. Samsung, Xiaomi, Google, OnePlus and other mobile phone brands use this chip.

MSM has always been the target of security research and cybercriminals, and it may be the same in the future. Hackers always try to remotely attack mobile devices, such as sending SMS to communicate with the device, and then controlling the device.

Android communicates with the MSM chip processor through the Qualcomm MSM interface (QMI). QMI is a special protocol that ensures the communication between the software components in the MSM and other peripheral subsystems on the device.

A Check Point report shows that in about 30% of smartphones worldwide. In other words, about 30% of smartphones worldwide are affected by this vulnerability.

However, Check Point notified Qualcomm of this vulnerability as early as October last year, and the vulnerability number is CVE-2020-11292. Qualcomm marked it as a "high-risk vulnerability" and notified relevant vendors.

Qualcomm said that in October 2020, all manufacturers were notified of the vulnerability and provided a fix in December of that year. At present, many manufacturers have released security updates to end users. The vulnerability will also be published in the Android Security Bulletin in June this year.

A Qualcomm spokesperson said: "Qualcomm has provided a repair solution to OEMs in December 2020, and we encourage end users to update their devices in a timely manner when patches are available."

But it takes time to fix the vulnerability. A Qualcomm spokesperson recommends that users contact the mobile phone manufacturer to determine whether the vulnerability is fixed.

Reference link:


小魔
735 声望1k 粉丝