For discovering three security flaws in Qualcomm chips, SUTD researcher received over $10,000

11 Dec 2023

Lianhe Zaobao, 11 Dec 2023, 发现高通晶片三安全漏洞 新科大博士获逾万元奖金
(translation)
 
Students from the Singapore University of Technology and Design (SUTD) discovered three security vulnerabilities in Qualcomm's 5G chips, which may disable the 5G network services of about 60% of the world's mobile phones.
 
SUTD issued a statement on Monday (December 11) saying that these security vulnerabilities were discovered by Dr. Matheus E. Garbelini. He was a doctoral candidate at SUTD at the time and is now a researcher at SUTD.
 
The chip with the security flaw is manufactured by Qualcomm and is commonly used in popular mobile phone brands such as Apple, Samsung and Google. According to findings, as many as 714 smartphone models from 24 brands are affected.
 
The statement pointed out that Garbelini and four other researchers used "Wireless Fuzzing" technology to detect the problem. The so-called "fuzz testing" refers to inputting random data into the program and monitoring program abnormalities to discover potential problems.
 
Participants in the study include: SUTD research group member, Assistant Professor Sudipta Chattopadhyay, SUTD PhD student, Shang Zewen, and researchers from the Institute for Infocomm Research under the Agency for Science, Technology and Research, Acting Executive Director Dr Sumei Sun, and Dr Ernest Kurniawan.
 
They found that threat actors need only control a 5G base station and launch malicious attacks from the base station to trigger a "denial of service" (DoS) attack, causing mobile phones equipped with the flawed chips to be unable to connect to the 5G network. Even if the attack stops, the service cannot be restored to normal. Only by restarting the phone or removing and reinserting the SIM card can the network be connected.
 
Garbelini said: "Although there are no known defence against attacks exploiting these flaws, users should still keep their Android OS and iOS patched to the latest versions of the phone software as most security issues are done during these updates."
 
Qualcomm expressed its appreciation for the discovery of three “high severity” flaws in the chips produced by the SUTD team, and decided to award US$17,000 (approximately S$23,000) to Garbelini and his team.
 
A Qualcomm spokesperson said in a statement that the company has worked with the SUTD team to resolve related issues and issued a patch to OEMs in August this year, calling on end users to perform relevant security updates.