Nearly 50% Of All Smartphones Affected By Qualcomm Snapdragon Bugs
Several security vulnerabilities found in Qualcomm’s Snapdragon chip Digital Signal Processor (DSP) chip could allow attackers to take control of more than 40% of all smartphones without user interaction, spy on their users, and create un-removable malware capable of evading detection.
DSPs are system-on-chip units are used for audio signal and digital image processing, and telecommunications, in consumer electronics including TVs and mobile devices.
Despite their complexity and the number of new features and capabilities DSP chips can add to any device, unfortunately, they also introduce new weak points and expand the devices’ attack surface.
Hundreds of millions of devices exposed to attacks
The vulnerable DSP chip “can be found in nearly every Android phone on the planet, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus, and more,” according to Check Point researchers who found these vulnerabilities.
Apple’s iPhone smartphone line is not affected by the security issues discovered and disclosed by Check Point in their report.
Check Point disclosed their findings to Qualcomm, who acknowledged them, notified device vendors, and assigned them with the following six CVEs: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209.
According to Check Point, these vulnerabilities make it possible for:
• Attackers to turn the phone into a perfect spying tool, without any user interaction required. The information that can be exfiltrated from the phone includes photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
• May be able to render the mobile phone constantly unresponsive. Making all the information stored on this phone permanently unavailable -including photos, videos, contact details, etc–in other words, a targeted denial-of-service attack.
• Can use malware and other malicious code can completely hide their activities and become un-removable.
Also read: Privacy policy template important tips for your business
Qualcomm fixed the vulnerabilities, security updates incoming
Although Qualcomm has already patched the six security flaws found to affect the Qualcomm Snapdragon DSP chip, mobile vendors still have to implement and deliver security fixes to their devices’ users, the threat is still there since the devices are still vulnerable to attacks.
Check Point researchers did not publish the technical details behind these vulnerabilities to allow mobile vendors to develop and deliver security updates to users to mitigate any possible risks.
“However, we decided to publish this blog to raise the awareness to these issues,” Check Point explained in a research report shared earlier with BleepingComputer.
“We have also updated relevant government officials, and relevant mobile vendors we have collaborated with on this research to assist them in making their handsets safer. The full research details were revealed to these stakeholders.”
Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store. – Qualcomm spokesperson
“Although Qualcomm has fixed the issue, it’s sadly not the end of the story,” Head of Cyber Research at Check Point, Yaniv Balmas, said.
“Hundreds of millions of phones are exposed to this security risk. You can be spied on. You can lose all your data. If such vulnerabilities will be found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time.”
The research behind these vulnerabilities will be presented by Check Point security researcher Slava Makkaveev tomorrow, at DEF CON 2020, during a presentation dubbed “Pwn2Own Qualcomm compute DSP for fun and profit.”
It is now up to the vendors, such as Google, Samsung, and Xiaomi, to integrate those patches into their entire phone lines, both in manufacturing and in the market. Our estimations are that it will take a while for all the vendors to integrate the patches into all their phones. Hence, we do not feel publishing the technical details with everyone is the responsible thing to do given the high risk of this falling into the wrong hands. For now, consumers must wait for the relevant vendors to also implement fixes.
Update: Added Qualcomm statement.
Also read: 4 easy guides to data breach assessment
0 Comments