Compromise mobile communications via Unisoc vulnerability

The Chinese company , founded as Spreadtrum, is one of the largest chip companies in the world and the largest in China for the past 20 years. The company produces low-cost chipsets for 2-5G compatible Android devices, smart TVs and other products.

Because the had not tried their products before, her team CheckPoint decided to analyze part of the protocol messages used, known as NAS, and found a vulnerability (CVE-2022-20210) that can cause the device to stop radio communication through a malformed packet causing a DoS condition. This vulnerability allows attackers to intercept communications at a specific location.



About the vulnerability (CVE-2022-20210)

The LTE network should be carefully examined to understand the basic concepts and how to exploit this vulnerability. The Long Term Evolution (LTE) network includes a number of protocols and components. The 3GPP team created the Evolving Packet System (EPS), an LTE technology that consists of three parts:

  • The user equipment (UE)
  • Evolved UMTS terrestrial radio access network (E-UTRAN)
  • Evolved packet core (EPC)


Figure 1: High-level diagram of LTE network EPS architecture

More specifically, the E-UTRAN component consists of a single stack called an “eNodeB” station. This station is responsible for controlling the radio communications between the UE and the EPC elements. Note that a UE can only communicate with a single eNodeB in a single communication.

The ECC is divided into four parts, one of which is the Mobility Management Entity (MME). This item is responsible for the signaling messages related to security control, location area management and mobility maintenance.

The research was performed using a UNISOC modem and communications between the MME component and the UE stack (Android device). Figure 2 shows the protocol stack of the modem - the layer level without (NAS) hosts EPS and EMM signaling messages.


Figure 2: High-level diagram illustrating the LTE protocol stacks

Some messages between the UE and the MME are shown below.


Figure 3: Messaging diagram

The NAS protocol should be highlighted (see Figure 3) because it operates on top of high-level structures. A hacker can craft specially crafted packets and send them to the target device to crash it or execute remote code.

Examining the details of the vulnerability

In this sense, the vulnerability identified as CVE-2022-20210 is based on the exploitation of NAS arguments, namely:

  • Output filter
  • NAS message bundle
  • Shift offset

By fuzzing the implementation of the NAS function through the AFL and QUEMU approaches, the team identified some interesting functions such as the liblte_mme_unpack_mobile_id_ie of srsRAN used to extract the of the mobile from the NAS. This ID starts with a number and the value consists of a 2-byte length to represent the International Mobile Subscriber Identity (IMSI).

The crash occurs when this value is copied to the output as IMSI number. If the length of the value is zero, 0-2 = 0xFFFFFFFFFE bytes are moved to the heap memory and a DoS condition is caused.


Figure 4: Block of code responsible for crashing the device

As a result, a malformed NAS message is generated. As noted below and described by CheckPoint, “the highlighted value 0x23 indicates that the following is the message identity block, where the first 0x01 is the length and the second 0x01 is the IMSI type”.


Figure 5: Malformed NAS message

This message causes the device to crash and opens doors to more sophisticated payloads that can lead to remote code execution scripts.

In conclusion

In this article, we observed how the LTE protocol and malformed NAS messages could affect the operation of smart devices, even leading to outage or neutralization of the devices.

Google has addressed all the bugs to protect millions of devices around the world. The fix came with the security update in June 2022 and users can now protect their smart devices from this vulnerability.

lte6 The Best Technology Site in Greecefgns


Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).