Although it does not enjoy the “fame” of other integrated, the UNISOC SC9863A SoC is a fairly popular choice, present in devices from the entry-level range of various brands, a good part of which are on the market today, despite the fact that the integrated one has been around for a while, that is, it is not one of the most recent UNISOC ones. Among the brands that most use the integrated of this manufacturer we find Nokia and Realme, to cite just a couple of examples. And it is that it is a much more common integrated than we can think.
The problem is that the security firm Kryptowire, after having carried out an investigation in this regard, has published a statement in the report of having detected a vulnerability in UNISOC SC9863A and, although it does not explain the nature of it (something normal, within the responsible disclosure policies that, fortunately, prevail in the sector), it does give some data on the scope that its exploitation may have. And the truth is that they are quite worrying.
«Specifically, the vulnerability allows attackers to access call and system logs, text messages, contacts and other private data, video record the device screen or use the external camera to record video, or even take control of the device remotelyaltering or cleaning your data.»
Although the publication of the vulnerability has now occurred, Kryptowire has already informed the manufacturers of affected devices, as well as the chip manufacturer itself when it discovered the UNISOC SC9863A vulnerability, in december last year. A period that, we understand, will have been used by all affected parties to take, in each case, the measures within their reach to mitigate the possible impact of the vulnerability on affected smartphone users.
On the part of the manufacturer, UNISOC SC9863A would be expected to be discontinued immediately and that, additionally, the company’s engineering teams have turned to analyze the rest of its integrated components, in order to determine if they can also be attacked in the same way as UNISOC SC9863A. However, just a few weeks ago we learned of new Nokia terminals which, as you can see in their data sheet, make up this SoC, a decision that we can understand is due to the fact that they were already on the production line when they learned of the vulnerability.
And what should manufacturers who have integrated the UNISOC SC9863A in their devices do? Evidently, publish as soon as possible the necessary updates to mitigate the effects of this vulnerability. And at this point the most important thing is speed, above everything else. As we saw last week, with the first patch for Specter BHI, it has a big impact on performance. And it’s annoying for users, of course, but it’s the most correct way to proceed: secure first, then optimize.
“In an increasingly competitive mobile device market, it is imperative that device manufacturers establish and maintain trust between operators and end users.” states Alex Lisle, technical director of Kryptowire. “Kryptowire’s core technology, which provides fast, automatic vulnerability scanning without end-user data intrusion, helps stakeholders find and remediate critical security and privacy gaps faster and more efficiently, increasing trust in the face of to complex security challenges.”
Thus, if you are a user of a smartphone that uses a UNISOC SC9863A, contact its manufacturer to find out what measures they are going to take in this regard.