Critical UNISOC chip vulnerability affects millions of Android smartphones

0
27

A critical security flaw has been discovered in UNISOC’s smartphone chipset that could potentially be used as a weapon to disrupt a smartphone’s radio communications through a deformed packet.

“A hacker or a military unit can use such a vulnerability to neutralize communications in a specific location,” Israeli cybersecurity firm Check Point said in a press release. report shared with The Hacker News. “The vulnerability is in the modem firmware, not in the Android operating system itself.”

UNISOC, a semiconductor company based in Shanghai, is the world’s fourth largest mobile processor manufacturer after Mediatek, Qualcomm and Apple, accounting for 10% of all SoC shipments in Q3 2021, according to counterpoint research

The now patched issue has been given the identifier CVE-2022-20210 and is rated 9.4 out of 10 for the severity of the CVSS vulnerability scoring system.

In a nutshell, the vulnerability – discovered after reverse engineering UNISOC’s LTE protocol stack implementation – relates to a case of buffer overflow vulnerability in the component that Non-Access LayerNAS) messages in the modem firmware, resulting in denial of service.

To reduce the risk, it is recommended that users update their Android devices to the latest available software as soon as it becomes available as part of Google’s Android Security Bulletin for June 2022.

“An attacker could have used a radio station to send a malformed packet that would reset the modem, depriving the user of communication,” said Check Point’s Slava Makkaveev.

This isn’t the first time UNISOC chipsets have come under the scanner. In March 2022, mobile security company Kryptowire disclosed a critical security flaw (CVE-2022-27250CVSS score: 9.8) which, if exploited, could allow malicious actors to take control of user data and device functionality