UNISOC may not be the first name that comes to mind when you think of Android chip makers, but it is actually a bigger player than Samsung and Huawei. UNISOC chips were found in 11 percent of phones shipped in the fourth quarter of 2021, making it the fourth largest supplier. The company makes affordable chips that are in many popular budget phones intended for Asia and Africa. Check Point Survey
has found a vulnerability in UNISOC chips that makes telephone communications vulnerable to remote hacker attacks.
Perhaps because UNISOC was overshadowed by Qualcomm and MediaTek, the chip firmware used in Android smartphones has not been extensively studied, which is probably why this vulnerability has gone undetected all along.
Because the smartphone modem is easily accessible remotely via SMS or a radio packet, it is often the target of hackers. CPR did an analysis of the UNISOC baseband and discovered a loophole that could be used to block communications.
The evolved packet system (EPS), a high-level architecture of the Long-Term Evolution (LTE) technology, consists of three main components: the user equipment (UE), in this example a smartphone, the evolved UMTS terrestrial radio access network (E-UTRAN ), and the developed packet core (EPC), and they are all interconnected.
The E-UTRAN component has a stack called the eNodeB station that manages the communication between the UE and the EPC. One of EPC’s stacks is the Mobility Management Entity (MME), which controls the high-level operations of phones in the LTE network.
The MME stack and the UE stack rely on the EPS session management (ESM) and the EPS mobility management (EMM) protocols for communication, both of which are hosted by the non-access layer (NAS).
The problem with the NAS protocol is that it deals more with the wider system and so it’s quite easy for a bad actor to send an EMM packet with the potential to let the UNISOC modem go to the target device crash. This can lead to Denial of Service (DoS) or Remote Code Execution (RCE).
CPR uses a Motorola Moto G20 that was on the January 2022 patch as a test device. It is powered by the UNISOC T700. They then took advantage of the system’s weaknesses to tamper with the NAS message data, which allowed them to launch a DoS attack.
The outlet believes that a hacker or military officer could use these kinds of vulnerabilities to “neutralize communications in a specific location”.
UNISOC was notified of the baseband issue in May 2022 and it was patched quickly. Google will publish the patch in the next Android security bulletin.
Every other day we hear about a loophole or the others, so it’s recommended to always keep your phone up to date with security patches and use services like ExpressVPN
to stay ahead of hackers.