Hackers could disrupt millions of smartphones by exploiting this critical vulnerability

A serious vulnerability present in more than a tenth of the world’s mobile phones could allow threat actors to kill all communications in a certain location, researchers have found.

Security analysts from Check Point Research (CPR) found the flaw in the UNISOC modem which, as the researchers claim, can be found in 11% of all the smartphones in the world (predominantly in Africa and Asia). 

The modem allows for cellular communication, and by leveraging the flaw, the attacker can remotely deny modem services and block communication.

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Critical UNISOC modem vulnerability

The flaw is now being tracked as CVE-2022-20210, and carries a vulnerability score of 9.4 out of 10 as a reflection of its severity.

According to CPR, the vulnerability was discovered in NAS message handlers, which could be used to disrupt radio communication through a malformed packet. Apparently, military or state-sponsored hackers would be able to use it to kill all communications in specific locations. 

Since the discovery of the flaw, a patch has been issued, and all smartphone users are urged to keep their devices up to date at all times. 

“There is nothing for Android users to do right now, though we strongly recommend applying the patch that will be released by Google in their upcoming Android Security Bulletin,” said Slava Makkaveev, Reverse Engineering & Security Research at Check Point Software. 

Although not as high-profile as software flaws, hardware flaws are just as frequent, and just as dangerous. Earlier this month, a security flaw was discovered in Qualcomm’s MSM chips, which could have allowed threat actors to access SMS messages and phone conversations in a third of the world’s Android endpoints. 

This vulnerability, tracked as CVE-2020-11292, was also discovered by Check Point Research, who discovered it while using a process known as fuzzing to test Qualcomm’s mobile station modem (MSM) for flaws in its firmware.