It appears that one of Qualcomm’s mobile station modems (MSM) was affected by a serious security flaw. This flaw seems to be dated back to December 2020 and Qualcomm has already addressed the issue.
While Qualcomm might have rolled out a security patch to address the issue, it seems security flaw is still a threat to smartphones using that MSM in 2021.
According to Check Point security team, the vulnerability could be exploited to inject malicious code into the phone by using the Android operating system itself as an entry point.
Currently, the affected Qualcomm chip(s) are said to be powering about 40% of all smartphones globally- including flagship and high end devices from Samsung and other OEMs.
Check Point research team found that if someone wants to attack the latest 5G code in devices powered by Qualcomm’s modems by implementing a debugger, ‘the easiest way to do that is to exploit MSM data services through QMI’ (Qualcomm MSM Interface).
From the research carried out, there is a ‘vulnerability in modem data service that can be used to control the modem and dynamically patch it from the application processor.’
Samsung and OEMs Devices Affected by Qualcomm Modem Security Flaws
As earlier stated, it appears that Qualcomm was aware of thus flaw and rolled out a security patch to address the issue back in December 2020. This couple with the fact that it was not initially made public is a relief. But, all is not squared out just yet.
The mind boggling news is that, lots of smartphones developed by Samsung and other OEMs still vulnerable as of this writing.
Even though Qualcomm has release a patch to address the security flaw, they can’t force when the manufacturers of these phones will make it available for these devices.
And given the fact that Android OS roll out updates gradually, it might take some time before all affected phones gets the updates. Even if the updates starts rolling out, it won’t be available in all regions immediately.
Now that the Check Point research team has decided to make this security issue public, maybe smartphone OEMs — including Samsung — will hasten the process of updating their devices to address the security flaw, but, it may take some time.
Samsung and other OEMs have started rolling out May 2021 security patch for its devices. But, it’s unclear if it fixes this issue. For example, the Samsung May 2021 security patch for its Galaxy devices so far include a fix for devices powered by both Exynos and Qualcomm chipsets — one that was reported in December — but it doesn’t seem to match Check Point’s description.
Qualcomm has classified the vulnerability as ‘CVE-2020-11292,’ and this classification was not mentioned in Samsung’s latest security bulletin.
Bottom line is, phone manufacturers should soon be in the process of releasing a new security patch that fixes Qualcomm’s security flaw. However, we’re not sure how many models are affected or if the May 2021 security patch addresses it in any capacity.