Critical flaw found inside the UNISOC smartphone chip

The vulnerability was discovered by Check Point Research. UNISOC processes 11% of the world’s smartphones.

Check Point Research has identified what it is calling a critical security vulnerability in UNISOC’s smartphone chip, which is responsible for cellular communication in 11% of the world’s smartphones. The vulnerability was found in the UNISOC modem firmware and not in the Android OS itself, the company said.

UNISOC, formerly Spreadtrum Communications, is a Shanghai-based semiconductor company that produces chipsets for mobile devices and smart TVs. Left unpatched, an attacker could exploit the vulnerability to remotely deny modem services and block communications.

What smartphone chips are compromised?

The flaw affects 4G and 5G UNISOC chipsets, and Google will be publishing the patch in the upcoming Android Security Bulletin, CPR said. The company disclosed its findings to UNISOC, which it said gave the vulnerability a score of 9.4 out of 10. UNISOC has since patched the CVE-2022-20210 vulnerability.

SEE: Mobile device security policy (TechRepublic Premium)

The UNISOC modem is popular in Africa and Asia and is responsible for cellular communication. CPR found the vulnerability while conducting an analysis of the UNISOC baseband to find a way to remotely attack UNISOC devices, the company said in a blog post. CPR reverse-engineered the implementation of the LTE protocol stack for an examination of security flaws, the first time this was done, according to the company.

UNISOC, MediaTek and Qualcomm are the top three chip makers for Android devices, according to CPR. In the past three years, CPR has researched Qualcomm’s TrustZone, DSP and radio modem processors, as well as MediaTek’s TrustZone DSP.

Even though UNISOC has been on the market for a long time, the chip firmware used in Android mobile phones has not been studied extensively, a CPR spokesperson said Wednesday. That was the impetus for testing it.

“If you look at the latest statistics, you can see that UNISOC’s sales have increased every quarter in the last year,’’ the CPR spokesperson said. “We think that hackers will soon turn their attention to UNISOC as [the chip becomes] more popular, as it happened with MediaTek and Qualcomm.”

Researchers scanned message handlers in the NAS protocol for a short period of time and found the vulnerability, which can be used to disrupt the device’s radio communication through a malformed packet. A hacker or military unit can leverage such a vulnerability to neutralize communications in a specific location, according to CPR.

The smartphone’s modem is a prime target for hacking

The smartphone’s modem is responsible for phone calls, SMS and mobile Internet. By attacking it, a hacker can block the modem’s functionality or gain the ability to listen in on a user’s phone calls.

“The smartphone modem is a prime target for hackers as it can be easily reached remotely through SMS or a radio packet,” UNISOC said.

Modern smartphones are based on very complex chips, the company spokespersons added.

“The UNISOC chip contains a set of specialized processors to isolate the special features of the device, as well as reduce the load on the main processor that runs Android. Thus, the radio modem is represented on the chip by a separate processor and operating system.”

CPR used the Motorola Moto G20 with the Android January 2022 update as a test device. The device is based on the UNISOC T700 chip.

“An attacker could have used a radio station to send a malformed packet that would reset the modem, depriving the user of the possibility of communication,’’ Slava Makkaveev, a security researcher at Check Point Software, said in a statement. “There is nothing for Android users to do right now, though we strongly recommend applying the patch that will be released by Google in their upcoming Android Security Bulletin.”

Check Point urges mobile users to always update their mobile phone OS to the latest available software.