Jump to content
Login new information ×
Remember, Matrix ×
Login new information

Qualcomm Snapdragon bugs leave almost half of all smartphones open to attack

Karlston

By Karlston
in Security & Privacy News

Recommended Posts

Karlston

Karlston

Posted
Posted

Qualcomm Snapdragon bugs leave almost half of all smartphones open to attack

Security flaws could allow hackers to tack control of devices, spy on users and create un-removable malware

byCr8DA85bFgd9X55ZBj5T-320-80.jpg

(Image credit: Qualcomm)

 

New research from Check Point has discovered over 400 vulnerabilities in Qualcomm's Snapdragon Digital Signal Processor (DSP) chip that if exploited, could allow hackers to take control of over 40 percent of all smartphones.

 

A DSP is a system on a chip that is used for audio signal and digital image processing in a number of consumer devices including TVs and smartphones. While DSP chips bring a number of new features and capabilities to the devices they're used in, they also introduce new weak points and expand a device's attack surface.

The vulnerabilities discovered by Check Point have serious implications as Qualcomm's chips are found in nearly every Android smartphone including flagship phones from Google, Samsung, LG, Xiaomi, OnePlus and other hardware makers.

 

By exploiting the vulnerabilities in Qualcomm's DSP chip, an attacker can spy on users via their smartphones, render a user's mobile phone constantly unresponsive and create un-removable malware capable of evading detection.

DSP chip vulnerabilities

Check Point responsibly disclosed its findings to Qualcomm and the chip maker acknowledge the vulnerabilities, notified device vendors and assigned six of the flaws with CVE listings.

 

 

Qualcomm has already patched the six security flaws affecting its Snapdragon DSP chip but smartphone makers still have to implement and deliver fixes to their users' devices which means that many smartphones in the wild are still vulnerable to potential attacks.

 

 

In a blog post, Check Point provided further insight on how it discovered the vulnerabilities in the company's DSP chips, saying:

 
 

 

“Due to the “Black Box” nature of the DSP chips it is very challenging for the mobile vendors to fix these issues, as they need to be first addressed by the chip manufacturer. Using our research methodologies and state-of-the-art fuzz testing technologies, we were able to overcome these issues – gaining us with a rare insight into the internals of the tested DSP chip. This allowed us to effectively review the chip’s security controls and identify its weak points.”

 

Given the severity of the vulnerabilities in Qualcomm's DSP chips, its recommended that users install any potential patches or fixes as soon as they become available.

 

Via BleepingComputer

 

 

Qualcomm Snapdragon bugs leave almost half of all smartphones open to attack

 

ThanksForReading200x49.jpg

Link to comment
Share on other sites
  • Replies 1
  • Views 784
  • Created
  • Last Reply
Karlston

Karlston

Posted
  • Author
Posted

Over a Billion Android Devices Are at Risk of Data Theft

Qualcomm has released a fix for the flaws in its Snapdragon chip, which attackers might exploit to monitor location or render the phone unresponsive.
snapdragon chip
Snapdragon is what’s known as a system on a chip that provides a host of components, such as a CPU and a graphics processor. Photograph: Pichi Chuang/Reuters
 

A billion or more Android devices are vulnerable to hacks that can turn them into spying tools by exploiting more than 400 vulnerabilities in Qualcomm’s Snapdragon chip, researchers reported this week.

 

The vulnerabilities can be exploited when a target downloads a video or other content that’s rendered by the chip. Targets can also be attacked by installing malicious apps that require no permissions at all.

 

From there, attackers can monitor locations and listen to nearby audio in real time and exfiltrate photos and videos. Exploits also make it possible to render the phone completely unresponsive. Infections can be hidden from the operating system in a way that makes disinfecting difficult.

 

Snapdragon is what’s known as a system on a chip that provides a host of components, such as a CPU and a graphics processor. One of the functions, known as digital signal processing, or DSP, tackles a variety of tasks, including charging abilities and video, audio, augmented reality, and other multimedia functions. Phone makers can also use DSPs to run dedicated apps that enable custom features.

 

“While DSP chips provide a relatively economical solution that allows mobile phones to provide end users with more functionality and enable innovative features—they do come with a cost,” researchers from security firm Check Point wrote in a brief report of the vulnerabilities they discovered. “These chips introduce new attack surface and weak points to these mobile devices. DSP chips are much more vulnerable to risks as they are being managed as ‘Black Boxes’ since it can be very complex for anyone other than their manufacturer to review their design, functionality or code.”

 

Qualcomm has released a fix for the flaws, but so far it hasn’t been incorporated into the Android OS or any Android device that uses Snapdragon, Check Point said. When I asked when Google might add the Qualcomm patches, a company spokesman said to check with Qualcomm. The chipmaker didn’t respond to an email asking.

 

Check Point is withholding technical details about the vulnerabilities and how they can be exploited until fixes make their way into end-user devices. Check Point has dubbed the vulnerabilities Achilles. The more than 400 distinct bugs are tracked as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.

 

In a statement, Qualcomm officials said: “Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”

Check Point said that Snapdragon is included in about 40 percent of phones worldwide. With an estimated 3 billion Android devices, that amounts to more than a billion phones. In the US market, Snapdragons are embedded in around 90 percent of devices.

 

There’s not much helpful guidance to provide users for protecting themselves against these exploits. Downloading apps only from Play can help, but Google’s track record of vetting apps shows that advice has limited efficacy. There’s also no way to effectively identify booby-trapped multimedia content.

 

This story originally appeared on Ars Technica.

 

 

Over a Billion Android Devices Are at Risk of Data Theft

 

ThanksForReading200x49.jpg

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...