A fatal flaw in the LTE firmware of the world’s fourth-largest over-the-air smartphone chip could be exploited to block people’s calls and deny services.
The vulnerability was found in the baseband – or radio modem – of UNISOC chips by the folks at Check Point Research who were looking for ways silicon could be used to remotely attack devices. It turns out that the flaw applies not only to lower tier smartphones but to some Smart TVs as well.
Check Point has found that attackers can send a specially designed radio packet to a nearby device to crash the firmware, and terminate that device’s cellular connection, at least, most likely until it restarts. This can be accomplished by broadcasting over-the-air Non-Access Layer (NAS) messages that when captured and processed by UNISOC firmware will end up in meta-heap memory.
“We examined NAS message processors within a short period of time and found a vulnerability that could be used to disrupt the device’s wireless communications through a malformed packet,” the researchers wrote in a detailed and fascinating advisory this week.
“An intruder or a military unit could take advantage of this vulnerability to neutralize communications at a specific location.” They stressed that the flaw was in the firmware of the UNISOC chipset and not in the Android operating system.
UNISOC is a 21-year-old chip designer based in China who spent the first 17 years of his life known as Spreadtrum Communications, and by 2011 was providing chips to more than half of the country’s mobile phones. In 2018, the company changed its name to UNISOC. The chips are mostly found in smartphones in Asia and Africa due to the low prices of silicon.
According to market analyst firm Counterpoint, UNISOC is the world’s fourth largest smartphone chip company, after MediaTek, Qualcomm and Apple.
This is not the first time that UNSOC technology has come under scrutiny. In March, Kryptowire, a mobile security and privacy monitoring company, announced that it had discovered a vulnerability that, if exploited, would allow malicious actors to control the device’s functionality and user data.
“The vulnerability allows hackers to access call and system logs, text messages, contacts and other private data, record video on a device’s screen or use an external camera to record video, or even control the device remotely, alter or erase,” the Kryptowire researchers said, adding that they uncovered In December 2021, UNISCO, device manufacturers and affected carriers reported vulnerabilities to the affected carriers.
In this latest discovery, Check Point researchers reverse engineer the implementation of UNISOC’s LTE protocol stack. LTE networks comprise multiple components and protocols that make up the Advanced Packet System (EPS) architecture.
In its tests, Check Point used a Motorola Moto G20 with the January Android update. The smartphone is based on the T700 chip from UNISOC.
Check Point analysts have focused on the information exchanged between cellular network equipment and people’s devices as part of their daily operations to stay connected and communicate. This exchanged data is included in the NAS messages. It turns out that a certain type of packet – the EPS Mobility Management (EMM) package – in a NAS message can cause software errors in the firmware’s NAS processors.
“The NAS protocol works with high-level structures,” the researchers wrote. “Therefore, it does not take much effort for an attacker to create a malformed EMM packet and send it to a target device. When a new NAS message arrives, the UNISOC modem analyzes it and creates internal objects based on the received data.”
Thus, an attacker, with the proper broadcast resulting in a bad NAS message, could cause the modem to remotely malfunction, which could result in a denial of service – or possibly remote code execution, giving the attacker some control over the hardware.
Check Point disclosed the flaw in May — which was traced as CVE-2022-20210 — to UNISOC, and a biz chip produced a patch later that month. According to the cybersecurity company, Google will roll out this fix in an upcoming Android Security Bulletin. Check Point has recommended users to update their operating system on their UNISOC running devices to the latest version, if possible.
“The smartphone modem is a prime target for hackers as it can be easily accessed remotely through SMS or radio packets,” the researchers wrote.
The result can be seen in the booming mobile security market, which analysts Allied Market Research said will grow from $3.3 billion in 2020 to $22.1 billion in 2030, driven in large part by the increase in online mobile payments, and the use of devices Portable for tasks that involve sensitive information—such as bank information, credit card numbers, and Social Security—and continue to adopt Bring Your Own Device (BYOD) policies into the workplace. ®