The latest warning about Android vulnerabilities touches the very heart of the devices themselves: the 5G chipset. If exploited, this would allow “dangerous” malware to hide inside your device “and never be removed”. Users are requested to ensure that they have the latest firmware and security updates.
This latest blunt disclosure comes from the Check Point team: “A very serious … security vulnerability in Qualcomm’s 5G mobile station (MSM) modem, the chip responsible for cellular communication in nearly 40% of phones. in the world.”
This means “hundreds of millions” of devices, says Check Point, exposed to “an attacker using Android OS itself as an entry point to inject malicious and invisible code into phones, granting an attacker access. to call history, SMS messages and phone audio. conversations. Think of credentials and data theft as well as spyware.
We have been here before. The same team has already “hacked Qualcomm’s TrustZone on Android devices,” the hardware isolation built into the processor. ”
This flaw has been corrected, but this “dangerous” silicon threat vector remains open.
The impacted chip manages connections to cellular networks. Yaniv Balmas, Head of Cyber Research at Check Point, tells me. “These chips are the crown jewels of mobile exploitation – if you find a vulnerability in the way the chip handles incoming calls or texts, you can potentially exploit a phone by simply sending a message or a call.”
While the potential for such a clickless attack is deeply concerning, exploitation is extremely difficult – we are talking about nation state level conops. “These mobile chips are extremely difficult to find,” explains Balmas. “They are almost exclusively owners, so peering inside is a very difficult task that can take years to accomplish.”
Following Check Point’s disclosure, this latest flaw was corrected by Qualcomm in December 2020. But it’s up to the phone makers to roll out the updates. The problem affects “hundreds of millions of high-end phones,” says Check Point. And it’s not just Samsung – some phones from Google, LG, Xiaomi, and One Plus are also at risk. But on the premium side of the 5G market, Samsung will be by far the most affected.
Qualcomm told me that “providing technologies that support strong security and privacy is a priority for Qualcomm. We applaud the security researchers at Check Point for employing coordinated disclosure practices that conform to industry standards. Qualcomm Technologies has already made patches available to OEMs in December 2020 and we encourage end users to update their devices as patches become available. “
“We found some pretty interesting vulnerabilities there that can lead to remote code execution,” Balmas warns. “The app itself could do anything a malicious app does – steal your data, touch your calls and texts.” And if attacking the chip from the outside is not really viable, it can be attacked by malware on the device, which can then hide on the chip, making itself undetectable and impossible to remove.
“There’s the usual problem here with closed source code,” says Balmas, “the fact that these chips are very difficult to inspect means you have to trust Qualcomm’s security, which is historically not a good thing. idea – not specifically Qualcomm, but in general. “
Balmas is not yet convinced that this vulnerability will have been patched in enough phones to eradicate the risk. “There’s a long supply chain here: Qualcomm to phone sellers to consumers. This makes it really hard to fix these issues once found. It took us a very long iteration with Qualcomm to fix this problem. We are talking about a minimum of one year until the fixes arrive with consumers. “
This issue again highlights the disparity between iOS and Android when it comes to critical updates. Even with Samsung, there is a complex update process, which differs by region and flagship compared to cheaper phones. It’s certainly not on Apple-type rails.
“We reported the problem in early October 2020,” Balmas tells me. “Qualcomm released a patch for most models in December, and Samsung just released a patch this month for many of its major models. Having said that, they did mention that the fix might not include older or less popular models as this is a huge process that needs to be done on their end. And that’s of course only Samsung … surely other phone vendors have similar issues. “
As SamMobile explains, “If Samsung says a device needs to receive monthly updates, it may not provide a monthly update for that device in every country or region … also the timing of some devices. For example, some carriers may choose to put a device on a quarterly schedule even though Samsung provides a monthly update for unlocked units … There are no guarantees, basically, and although Samsung does release updates. Security Day with impressive regularity, it’s always possible that a Galaxy phone or tablet may miss some security fixes from time to time. “
I contacted Samsung to get confirmation that this update is available for their 5G smartphones and an indication of how many devices are still exposed, but I haven’t received a response. I will add all updated information here.
We’ve seen Apple release several urgent updates in recent months, fixing high-risk iPhone issues quickly, with ease of deployment and compliance. That’s just not the case with Android and Samsung, where phone makers run their own processes after Google, Qualcomm, or others release a fix.
This means that the update compliance level is much lower on Android than on iOS, which means a much higher likelihood of vulnerabilities being exploited even when they have been fixed. Ultimately, this is the biggest security concern for Android users, so much so that it prompted my Straight Talking Cyber colleague Davey Winder to swap his long run with Samsung Galaxy phones for an iPhone instead.
Having said that, if you have a Samsung Galaxy 5G phone, you need to make sure you have the latest update installed. Samsung is better than most Android makers at releasing updates, but there is still some time between a component fix and one of its own updates. “My main message,” says Balmas, “is to update now to the latest operating system on your mobile.” Indeed, and keep doing the same.