Check Point's Slava Makkaveev published a blog post on Thursday highlighting a security flaw in Qualcomm's Mobile Station Modem Interface "that can be used to control the modem and dynamically patch it from the application processor."
"An attacker can use such a vulnerability to inject malicious code into the modem from Android. This gives the attacker access to the user's call history and SMS, as well as the ability to listen to the user's conversations," Makkaveev wrote.
"A hacker can exploit the vulnerability to unlock the SIM, thereby overcoming the limitations of the service providers imposed on the mobile device," he added, explaining that the Qualcomm Mobile Station Modem Interface enables the chip to communicate with the operating system found within the smartphone.
The Check Point report noted that the Qualcomm Mobile Station Modem Interface can be found in an estimated 30% of all smartphones out in the world today. Thankfully, the company notified Qualcomm of the vulnerability in October, which then tracked it as CVE-2020-11292 and labeled it a "high rated vulnerability."
Patches were sent to smartphone makers in the fall of 2020, a Qualcomm spokesperson told ZDNet.
"We commend the security researchers from Check Point for using industry-standard coordinated disclosure practices. Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available," a Qualcomm spokesperson added.
According to Qualcomm, all manufacturers were notified of the vulnerability in October 2020, and fixes were made available by December 2020, so many have already issued security updates to end users. The vulnerability will also be included in the public Android bulletin in June, the spokesperson noted.
The chip has been in cellphones and smartphones since the 1990s and has been continuously updated over the years to support the transitions from 2G to 3G, 4G, and now 5G. Samsung, Xiaomi, Google, and One Plus are just a few of the smartphone brands leveraging the chip.
Setu Kulkarni, vice president of strategy at WhiteHat Security, said this was one of many examples of the "supply chain" nature of the problem plaguing mobile phone vendors, Qualcomm, the Android OS, and the apps on the Play Store.
"Making it all work together requires careful synchronization in terms of versions and supported capabilities between the mobile phones, the chipset, the OS, and the apps -- and that's where the cracks are for vulnerabilities to slip through," Kulkarni said. "Especially since there is no one throat to choke in these kinds of issues."
Even though Qualcomm has patched the issue, Kulkarni questioned who is holding the other parties in the ecosystem to account for the issue.
The proliferation of Android-based devices presents a scalability challenge to deploy the fix and at the same time the end-users are completely unable to understand the issue, Kulkarni added.
"Which customer will understand the issue in the chipset? One may wonder, is that why Apple is increasingly becoming a closed ecosystem? With control over the device, the chipset, the OS, and the highly regulated App Store -- does Apple stand a better chance to protect its customers in such events? Time will tell," Kulkarni explained.