UNISOC may not be the first name that comes to mind when you think of Android chip makers, but it’s actually a bigger player than Samsung and Huawei. UNISOC chips were found in 11 percent of the phones shipped in Q4 2021, making it fourth largest supplier. The company makes affordable chips that are found in many popular budget phones intended for Asia and Africa. Check Point Research has found a vulnerability in UNISOC chips that makes telephone communications vulnerable to external hacker attacks.
Perhaps because UNISOC has been overshadowed by people like Qualcomm and MediaTek, its chip firmware used in Android smartphones has not been thoroughly researched, which is probably why this vulnerability remained unnoticed all this time.
Since the smartphone modem is easy to access remotely via SMS or a radio package, it is often targeted by hackers. CPR performed an analysis of the UNISOC baseband and discovered a loophole that could be used to block communication.
The Advanced Package System (EPS), which is a high-level architecture of Long-Term Evolution (LTE) technology, consists of three main components: the user equipment (UE), which is a smartphone in this example, the developed UMTS terrestrial radio access network (E-UTRAN) and the developed package core (EPC) and they are all interconnected.
The E-UTRAN component has a stack called the eNodeB station, which controls the communication between the UE and the EPC. One of the stacks of the EPC is the Mobility Controller (MME), which controls the high-level operation of telephones in the LTE network.
The MME stack and the UE stack are dependent on the EPS session management (ESM) and EPS mobility management (EMM) protocols for communication, both of which are hosted by the non-access stratum (NAS).
The thing with the NAS protocol is that it is more preoccupied with the wider system, and therefore it is quite easy for a bad player to send an EMM packet with the potential to crash the UNISOC modem to the target device. This can lead to Denial of Service (DoS) or Remote Code Execution (RCE).
CPR used one Motorola Moto G20, which was on the January 2022 patch as a test device. It is powered by the UNISOC T700. They then exploited the vulnerabilities of the system to mess with the NAS message data, enabling a DoS attack.
The business believes that a hacker or military person could use vulnerabilities like this to “neutralize communications in a particular location.”
UNISOC was informed of the problem with the baseband in May 2022 and it was rectified quickly. Google will announce the patch in the next Android Security Bulletin.
Every other day we hear about a loophole or the second, so it is recommended that you always keep your phone updated with security fixes and make use of services such as ExpressVPN to stay ahead of hackers.
