The chip is found in 11 percent of all smartphones
Attackers can use the vulnerability to reset the modem and block the user’s cellular communication. Check Point strongly recommends updating the operating system.
Check Point Research (CPR) has found a critical security vulnerability in UNISOC’s smartphone chip, which is responsible for mobile communications in 11 percent of all smartphones worldwide and is rated 9.4 (critical) by the experts. If the vulnerability remains open, an attacker could exploit it to neutralize or block communication. The investigation by the specialist department of Check Point Software Technologies marks the first time that the UNISOC chip has been recreated to analyze the security vulnerabilities.
CPR checked the NAS message handlers within a short time and found a security vulnerability that can be used to interfere with the radio communication of the device by a corrupted packet. A hacker or a military unit can take advantage of such a vulnerability to neutralize communications in a certain place. Check Point strongly advises mobile phone users to always update their operating system to the new available software.
Slava Makkaveev, Reverse Engineering &Security Research Attorney at Check Point Software Technologies, explain:
Slava Makkaveev, security researcher at Check Point
“We are the first to have examined the UNISOC modem for vulnerabilities and found a vulnerability in the modem, which was installed in 11 percent of smartphones. An attacker could have used a radio station to send a malicious packet that resets the modem and deprives the user of the possibility of communication. If the vulnerability is not remedied, the mobile communication can be blocked by an attacker. The vulnerability is in the modem firmware, not in the Android operating system itself, and affects 4G and 5G UNISOC chipsets. Android users can’t do anything at the moment, but we strongly recommend applying the patch, which will be released by Google in its upcoming Android Security Bulletin.“
CPR responsibly reported these findings to the company UNISOC in May 2022 and rated the vulnerability with a grade of 9.4 (critical). UNISOC has released a patch called CVE-2022-20210. Google has announced that the patch will be released in the upcoming Android Security Bulletin.