Qualcomm modem vulnerability exposes 30 percent smartphones worldwide to hackers: Check Point

Qualcomm modem flaw puts hundreds of millions of smartphones globally at risk.

Highlights
  • A new flaw has been discovered in Qualcomm’s Mobile Station Modem
  • The flaw enables hackers to gain access to text messages, phone calls, and in some cases even unlock your SIM card
  • Xiaomi, Google, LG, Samsung, OnePlus, and more phones with the latest Qualcomm chipsets are affected by the flaw

A flaw has been discovered in Qualcomm’s Mobile Station Modem that affects millions of Android phones worldwide, according to Israeli security firm Check Point Research. Hackers can apparently exploit the vulnerability and get access to text messages, phone calls, and in some cases even unlock your SIM card. Check Point’s report says that the Mobile Station Modem is an integral part of Qualcomm’s chip dating back to the early 1990s and still a part of some of the latest 5G chipsets.  It can be found on some of the latest phones from Xiaomi, Google, LG, Samsung, OnePlus, and more. This means it should affect a majority of Android smartphones worldwide.

The research firm estimates that up to 30 percent of all Android phones have the Qualcomm modem software that has this vulnerability. The report further tells us that hackers can exploit the vulnerability to “inject malicious code into the modem from Android. This gives the attacker access to the user’s call history and SMS, as well as the ability to listen to the user’s conversations.” As said, attackers can exploit the vulnerability to unlock the SIM card and overcome any limitations set by service providers.

Qualcomm Snapdragon 400 Series 5G Processor

Qualcomm is aware of the vulnerability and has already issued a fix. In a statement, the San Diego chipset maker’s representative said, “Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end-users to update their devices as patches become available.”

However, the catalogue number assigned to the vulnerability — CVE-2020-11292 — is not included in any Android security published since 2020, but there are chances that Google may have included it in a security update without mentioning it in the bulletin. According to a Qualcomm spokesperson, the company will address it in the June 2021 security update.

While it isn’t clear if all affected devices have been patched, a Check Point representative has told Tom’s Guide, “From our experience, the implementation of these fixes takes time, so many of the phones are likely still prone to the threat.”