The vulnerability was found by Test Level Analysis. UNISOC processes 11% of the world’s smartphones.
Test Level Analysis has recognized what it’s calling a essential safety vulnerability in UNISOC’s smartphone chip, which is liable for mobile communication in 11% of the world’s smartphones. The vulnerability was discovered within the UNISOC modem firmware and never within the Android OS itself, the corporate mentioned.
UNISOC, previously Spreadtrum Communications, is a Shanghai-based semiconductor firm that produces chipsets for cell units and sensible TVs. Left unpatched, an attacker may exploit the vulnerability to remotely deny modem providers and block communications.
What smartphone chips are compromised?
The flaw impacts 4G and 5G UNISOC chipsets, and Google will likely be publishing the patch within the upcoming Android Safety Bulletin, CPR mentioned. The corporate disclosed its findings to UNISOC, which it mentioned gave the vulnerability a rating of 9.4 out of 10. UNISOC has since patched the CVE-2022-20210 vulnerability.
SEE: Cell gadget safety coverage (TechRepublic Premium)
The UNISOC modem is well-liked in Africa and Asia and is liable for mobile communication. CPR discovered the vulnerability whereas conducting an evaluation of the UNISOC baseband to discover a approach to remotely assault UNISOC units, the corporate mentioned in a weblog submit. CPR reverse-engineered the implementation of the LTE protocol stack for an examination of safety flaws, the primary time this was performed, in response to the corporate.
UNISOC, MediaTek and Qualcomm are the highest three chip makers for Android units, in response to CPR. Up to now three years, CPR has researched Qualcomm’s TrustZone, DSP and radio modem processors, in addition to MediaTek’s TrustZone DSP.
Although UNISOC has been in the marketplace for a very long time, the chip firmware utilized in Android cellphones has not been studied extensively, a CPR spokesperson mentioned Wednesday. That was the impetus for testing it.
“Should you have a look at the newest statistics, you’ll be able to see that UNISOC’s gross sales have elevated each quarter within the final yr,’’ the CPR spokesperson mentioned. “We expect that hackers will quickly flip their consideration to UNISOC as [the chip becomes] extra well-liked, because it occurred with MediaTek and Qualcomm.”
Researchers scanned message handlers within the NAS protocol for a brief time period and located the vulnerability, which can be utilized to disrupt the gadget’s radio communication via a malformed packet. A hacker or navy unit can leverage such a vulnerability to neutralize communications in a selected location, in response to CPR.
The smartphone’s modem is a main goal for hacking
The smartphone’s modem is liable for telephone calls, SMS and cell Web. By attacking it, a hacker can block the modem’s performance or acquire the flexibility to pay attention to a person’s telephone calls.
“The smartphone modem is a main goal for hackers as it may be simply reached remotely via SMS or a radio packet,” UNISOC mentioned.
Fashionable smartphones are based mostly on very advanced chips, the corporate spokespersons added.
“The UNISOC chip comprises a set of specialised processors to isolate the particular options of the gadget, in addition to scale back the load on the primary processor that runs Android. Thus, the radio modem is represented on the chip by a separate processor and working system.”
CPR used the Motorola Moto G20 with the Android January 2022 replace as a take a look at gadget. The gadget relies on the UNISOC T700 chip.
“An attacker may have used a radio station to ship a malformed packet that may reset the modem, depriving the person of the opportunity of communication,’’ Slava Makkaveev, a safety researcher at Test Level Software program, mentioned in a press release. “There’s nothing for Android customers to do proper now, although we strongly suggest making use of the patch that will likely be launched by Google of their upcoming Android Safety Bulletin.”
Test Level urges cell customers to all the time replace their cell phone OS to the newest obtainable software program.
