5G mobile phones have not been used yet, but chip vulnerabilities have already emerged

If the global chip shortage continues, spreading from automobile companies and mobile phone manufacturers to the home appliance industry, hitting the production progress of corporate products, increasing production costs, and indirectly affecting consumers, then chip security vulnerabilities will directly have a serious impact on users' privacy and data.

Qualcomm is facing a new round of crisis after delaying chip delivery for 7 months due to production capacity issues.

[[400061]]

After the May Day holiday, overseas security company Check Point Research discovered a vulnerability in Qualcomm's modem (MSM) chip. The modem chip is mainly responsible for mobile phone communication functions and has a system-on-chip (a complete system integrated on a single chip) with 2G, 3G, 4G, and 5G functions.

In other words, users need modem chips to send text messages, make calls, and surf the Internet on their mobile phones. Once vulnerabilities appear in the modem chip, hackers or network attackers can exploit these vulnerabilities through the Android mobile phone system to launch attacks and inject malicious, invisible code.

Once targeted by hackers, the user's text messages, call logs, call information, and even the user identification module on the unlocked mobile device will be stored to store the user's network authentication information and contact information.

It is reported that public data on the Internet shows that about 40% of mobile phones in the global market use Qualcomm chips, including mobile phone manufacturers such as Google, Samsung, Xiaomi, OPPO, vivo, and OnePlus. This means that nearly half of mobile phone users in the world may face the risk of privacy leakage, mobile phones being remotely monitored, frozen, and data loss.

What exactly is the mobile phone chip vulnerability? Can the risk be easily resolved by simply patching it with a software patch? The leakage incident may not be that optimistic, and it is more likely that it cannot be resolved at all.

Full of loopholes

This isn't the first time Qualcomm has been hit by a chip vulnerability.

In 2020, a study at the DEFCON Global Hacker Conference showed that there were six serious vulnerabilities in Qualcomm's mobile chips, which would affect tens of thousands of Android smartphones and tablets. Cybersecurity researchers also found that the vulnerabilities were mainly Qualcomm's DSP chip (digital signal processor), which is responsible for converting services such as voice, video, and GPS location sensors into computable data, and controls the real-time request processing between the user's Android system and Qualcomm processor hardware.

If there is a defect in DSP, hackers can arbitrarily collect and access users' photos, videos, call records, real-time microphone data, GPS location information, etc.

Imagine that a user's location information, photos and videos taken, and even the content of conversations with others through the microphone can be clearly understood by remote hackers and network attackers. In serious cases, hackers may damage the target phone, remotely turn on the user's microphone, implant malware that the phone cannot detect at all, launch a denial of service attack, freeze the phone, and use the data on the phone at will.

It is worth noting that there are more than 400 vulnerable codes on Qualcomm DSP chips. As long as manufacturers and users do not take any intervention measures, the mobile phone may become a "spy tool."

But unlike the most recent one in 2020, Qualcomm's vulnerability appeared in modem chips.

As mentioned earlier, the modem is responsible for the communication function of the mobile phone. For example, the mobile phones on the market are gradually upgraded to 5G mobile phones. The 5G performance, reception signal and other functions of the mobile phone depend to a large extent on the performance of the modem chip.

Similar to the DSP chip vulnerability, hackers implant malicious code into modem chips through the Android system, allowing cybercriminals to easily explore the latest 5G codes of manufacturers. Different chip locations where the code is injected affect different functions.

For example, modem chips mainly focus on mobile phone call functions, access user call history, monitor user conversations, unlock mobile phone SIM cards, and bypass the control of telecom operators.

In any case, these chip vulnerabilities will have a great impact on the privacy and property security of users. Some people say that chip companies can completely prevent these vulnerabilities from being exploited by criminals on the Internet by releasing vulnerability patches, but in fact, it is not easy to implement.

Problem or no solution

After the chip vulnerability was announced by a third-party organization, Qualcomm refused to comment and instead issued a statement saying that Qualcomm is verifying the problem and providing appropriate buffer measures to OEM manufacturers. There is currently no evidence that these vulnerabilities are being exploited. Of course, Qualcomm encourages users to update device patches.

Qualcomm's statement implicitly acknowledged the existence of these high-risk vulnerabilities. In fact, Qualcomm had noticed the DSP chip vulnerability in 2020 long before the third-party attack agency discovered it, and in July of the same year, it developed a patch to crack some WPA2 encrypted wireless networks, and then in December, it released patches for some vulnerabilities again.

But even if Qualcomm releases a patch, the effect will not be satisfactory.

To quote Yaniv Balmas, head of research at Check Point, “These chip vulnerabilities have left hundreds of millions of phones around the world vulnerable, and patching them is an impossible task.”

On the one hand, these patches are mainly for users who upgrade to the new Android system, and users of old Android versions are not protected. According to Stat Counter data, about 19% of Android phones in the world run the Android Pie 9.0 operating system released by Google in August 2018, and more than 9% of users' phones run the Android 8.1 Oreo operating system released by Google in December 2017. A considerable number of Android phone users are using old versions.

On the other hand, Qualcomm is only a link in the entire chip security crisis chain, and it also needs the cooperation of OEM manufacturers, namely mobile phone manufacturers and Google. Qualcomm needs to fix the vulnerabilities in chips and operating hardware first, and then deliver them to mobile phone manufacturers, or hand over the repair program to mobile phone manufacturers.

It is not enough for Qualcomm to complete the vulnerability patch. There is great uncertainty about how mobile phone manufacturers can ensure that the patch is integrated into the mobile phones being assembled or circulating on the market. As we all know, mobile phone manufacturers are slow to update the system. For example, after Google released the stable version of Android 10 in 2019, most users needed at least one year to transition to the new mobile phone system. If the mobile phone version is too low or the service policy is different, some mobile phones cannot even update the latest system. Although Google is a mobile phone system developer, it cannot directly update the latest system and patches for mobile phone users.

More importantly, the complexity of the chip means that the vulnerability cannot be "cured".

Take DSP chips as an example. DSP chips are like the "black box" of mobile phones. It is difficult for others to detect its working principle except for chip manufacturers, and it is difficult for security personnel to test them. Therefore, there are likely to be many mature and unknown security vulnerabilities on DSP chips.

At the same time, DSP chips carry many innovative features of modern mobile phones, including fast charging and multimedia functions, and are easily targeted by hackers. Even if users upgrade their phones and fix the vulnerabilities, it will not solve the problem.

In 2021, Qualcomm's chip vulnerability appeared in the modem chip. Compared with DSP, the modem is even more complex, with thousands of lines of code. There is reason to believe that old code from two or three years ago will exist on the current new chip model. Hackers can use the old code as a breakthrough point to attack and steal mobile phone information.

As solving chip vulnerabilities is becoming an impossible task, users should either switch to Apple phones, which have their own operating system and chips and a relatively closed ecosystem, or be wary of downloading and installing applications from unknown sources. To a certain extent, Android phone manufacturers, including chip manufacturers, phone manufacturers, and operating system manufacturers, should prioritize user data security and work together to find security solutions that balance the interests of all parties.