UNISOC phone chip firmware vulnerable to remote crash • The Register


A critical flaw in the LTE firmware of the world’s fourth-largest smartphone chip industry could be exploited over the air to block user communications and deny services.

The vulnerability in UNISOC’s baseband – or radio modem – chipset was discovered by people at Check Point Research who were researching ways to use silicon to remotely attack devices. It turns out that the flaw does not only apply to low-end smartphones, but also to some smart TVs.

Check Point found that attackers could transmit a specially crafted radio packet to a nearby device to crash the firmware, terminating that device’s cellular connectivity, at least, presumably until it was restarted. This would be achieved by broadcasting No Access Stratum (NAS) messages over the air which, once picked up and processed by the UNISOC firmware, would end in a heap memory overwrite.

“We scanned the NAS message handlers in a short period of time and found a vulnerability that can be used to disrupt the device’s radio communication via a malformed packet,” the researchers wrote in a detailed and fascinating advisory this week. .

“A hacker or a military unit can take advantage of such a vulnerability to disable communications in a specific location.” They pointed out that the flaw was in the UNISOC chipset firmware and not in the Android operating system.

UNISOC is a 21-year-old chip designer based in China who spent the first 17 years of his life as Spreadtrum Communications and by 2011 supplied chips for more than half of the country’s mobile phones. In 2018, the company changed its name to UNISOC. The chips are mainly found in smartphones in Asia and Africa due to its low silicon prices.

UNISOC is the world’s fourth largest smartphone chipmaker, behind MediaTek, Qualcomm and Apple, according to market analyst firm Counterpoint.

This is not the first time that UNSOC technology has come under scrutiny. In March, Kryptowire, a mobile security and privacy monitoring company, announced that it had discovered a vulnerability that, if exploited, would allow bad actors to take control of a device’s functionality and user data. that it contains.

“The vulnerability allows intruders to access call and system logs, SMS, contacts and other private data, record video on the device screen or use the external camera to record video, or even take control of the device remotely, by modifying or erasing data,” Kryptowire researchers said, adding that in December 2021, they disclosed the vulnerability to UNISCO and manufacturers. and carriers of devices concerned.

In this latest discovery, Check Point researchers reverse engineered UNISOC’s LTE protocol stack implementation. LTE networks include several components and protocols that form the evolved packet system (EPS) architecture.

In its testing, Check Point used a Motorola Moto G20 device with the January Android update. The smartphone is based on UNISOC’s T700 chip.

Check Point analysts focused on the information exchanged between cellular network equipment and people’s devices as part of their daily operations to stay connected and communicate. This exchanged data is contained in NAS messages. It turns out that a specific type of packet – an EPS Mobility Management (EMM) packet – in a NAS message can trigger programming errors in firmware NAS handlers.

“The NAS protocol works with high-level structures,” the researchers wrote. “Therefore, an attacker does not require much effort to create a malformed EMM packet and send it to a target device. When a new NAS message arrives, the UNISOC modem analyzes it and creates internal objects based on the data received.”

An attacker could thus, with an appropriate broadcast resulting in a bad NAS message, remotely crash the modem, which could lead to a denial of service – or possibly remote code execution, allowing the attacker to gain some control over electronics.

Check Point disclosed the flaw in May – which is tracked as CVE-2022-20210 – to UNISOC, and the chip industry produced a patch later that month. According to the cybersecurity company, Google will roll out this patch in its next Android security bulletin. Check Point recommends that users update the operating system on their UNISOC-powered devices to the latest version, if possible.

“The smartphone’s modem is a prime target for hackers because it can be easily reached remotely via text message or packet radio,” the researchers wrote.

The result can be seen in the booming mobile security market, which analyst firm Allied Market Research predicts will grow from $3.3 billion in 2020 to $22.1 billion in 2030, due largely from the increase in online mobile payments, the use of mobile devices for tasks that involve sensitive information – such as banking information and credit card and social security numbers – and the continued adoption of bring your own device (BYOD) policies in the workplace. ®


Comments are closed.