Biktorgj
commented
3 years ago Hi! First of all sorry for answering this late, it's been a very busy week, and thank you for taking your time to write the issue.
While it is in fact a vulnerability in the ADSP firmware for most MSM devices and Qualcomm should patch it ASAP, I think they went a little on the extreme when saying that someone can listen to your conversations with this. I mean yes, the could, and the could lock your sim card by entering lots of bad PIN codes, but if you already have access to the QMI port you can already do that, that's exactly what QMI is for, configuring the modem, making calls, getting the phone number that is calling, receive SMS etc.
Yes, it's a buffer overflow that let you run arbitrary commands on the ADSP. But that vulnerability can only be triggered from something that's already inside the phone and has enough permissions to talk to the QMI interface. That means that for this to work:
- Your phone needs some malware installed
- That malware already has elevated enough permissions to be able to talk to the QMI port, so at that point your phone is already completely pwned, and they could just set up some recording app on the background and listen to your microphone directly, no need to do anything fancy with through QMI
Now, in the pinephone scenario, to exploit this, you would need: a) Already have root access to the Pinephone or at least be able to elevate privileges to the dialout group depending on the distros b) Be able to trigger this bug from the modem itself.
All Pinephone distros are in beta, so it's entirely possible to find a bug in them, but at the same time, most distros use latest version of everything, so it's harder to exploit remotely than your typical 5 year old android phone with no updates unless you leave ssh enabled with password '1234'
Since the modem is not directly connected to anything but the PinePhone, the attack surface is smaller (no possibility of something leaking QMI through a vulnerability in a Wifi card firmware for example, since there's no shared memory between the modem and the phone)
If you wanted to exploit this from the modem itself, you would also need root access to it, since all the userspace both in stock firmware and in this one only allows root to talk to the IPC router (which talks QMI), and the other port that is able to do it is already in use when it boots so it cannot be tapped into. And the only way to get root access to the modem is from the Pinephone itself, since the modem cannot connect anywhere by itself unless you really change the stock firmware (that's impossible to do with the custom firmware), so in the end, the only entry point is again from exploiting the Pinephone's distro. And if the exploit already has permissions to run QMI commands, it doesn't need to exploit anything, it can already run them directly without messing with the ADSP memory.
An analogy would be if someone would find an exploit in your car's firmware that would let them start it by installing a dongle into the car's diagnostic port and exploiting a bug. If they already got inside of the car and were able to tap into the diagnostic port they can already do that without exploits, they could simply ask the engine to start from the diag port and run away with it
With all that said, if/when Quectel releases an update to the ADSP firmware of course I'll publish it in the recovery repo so everyone can update, the less bugs we have, the better :)
ebonetti
Hello Pine64 folks, as you may be aware checkpoint research has found a high rated vulnerability in QMI:
Android is already taking steps to mitigating it.
Keep up the great work, Enrico Bonetti Vieno
P.S.: I'm hooked on your achievements with the pine-phone and pine64 open hardware, big fan here 👍 Thanks for your hard work!!