Snapdragon Chip Flaws Could Facilitate Mass Android Spying1 Billion Devices at Risk; Qualcomm Is Prepping Patches for OEMs to Push to Users
Heads-up on the existence of a serious security problem affecting many Android devices for which no fix is yet available, short of ditching any vulnerable gear.
Researchers at Check Point Software Technologies have counted 400 flaws in Qualcomm's Digital Signal Processor - known as Hexagon DSP - that's present in all Snapdragon systems-on-chip.
Qualcomm, based in San Diego, manufactures chips that are used in more than 40% of smartphones, including devices shipped by Samsung, Google, LG, OnePlus, Xiaomi and others. The researchers estimate that more than 1 billion Android devices have a Snapdragon chip and thus have the flaws they found.
Check Point has dubbed the security flaws "Achilles" because the flaws on the small chip may pose outsize peril. The technology vendor says it's withholding full details of the flaws until fixes arrive. But it warns that the flaws could be exploited to fully compromise vulnerable devices in multiple ways:
- Spying: "Without any user interaction required," an attacker could exfiltrate any data from the device, including "photos, videos, call recording, real-time microphone data, GPS and location data" and more.
- Denial of service: An attacker could leave a phone unresponsive, preventing a user from recovering the data it stores or using it in any other way.
- Malicious code: Attackers could exploit the flaws to run malware on the device.
Qualcomm says patches are on the way and that so far it's seen no signs of the flaws being exploited in the wild.
"Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs," Qualcomm says in a statement.
"We have no evidence it is currently being exploited," Qualcomm says. "We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store."
Qualcomm didn't immediately respond to a request for comment about how many devices in current use might need a patch. Another recurring problem with Android devices continues to be devices that are no longer supported by OEMs - meaning, no software updates or security fixes get released - yet which individuals continue to use.
Smartphone Users Worldwide 2016-2021
6 Separate Vulnerability Designations
Check Point says the flaws are encapsulated via six separate vulnerability designations. "We disclosed these findings with Qualcomm, who acknowledged them, notified the relevant device vendors and assigned them with the following CVEs: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209."
Slava Makkaveev, a security researcher at Check Point, described the company's research in a presentation titled "Pwn2Own Qualcomm compute DSP for fun and profit" on Friday at the DEF CON 2020 virtual event.
In his presentation, Makkaveev demonstrated how the flaws could be exploited to execute arbitrary code on vulnerable devices.
Makkaveev said the research demonstrated "how an Android application can bypass Qualcomm's signature and execute privileged code on the DSP and what further security issues this can lead to."
Qualcomm gives some OEMs and third-party software vendors access to a Hexagon software development kit allowing them to program the DSP with code that gets signed by Qualcomm. The SDK appears to be the source of the problems.
"We discovered serious bugs in the SDK that have led to the hundreds of hidden vulnerabilities in the Qualcomm-owned and vendors' code," Makkaveev says. "The truth is that almost all DSP executable libraries embedded in Qualcomm-based smartphones are vulnerable to attacks due to issues in the Hexagon SDK."
In addition, he says Hexagon's libraries currently have no version control, and that vulnerable software found on one OEM's device could be run on another OEM's device to allow the vulnerabilities to be exploited across device types.
'Black Box' Alert
Digital signal processors provide a complete system on a chip - including hardware and software - that can be used to facilitate such things as rapid charging, camera streaming and low-power processing of audio and video.
But Check Point says that the inclusion of complete computers on a chip in smartphones - almost every modern smartphone now has at least one such chip - means more potential ways that flaws can end up in systems running on such devices. "These chips introduce new attack surfaces and weak points to these mobile devices," it says. "DSP chips are much more vulnerable to risks as they are being managed as 'black boxes' since it can be very complex for anyone other than their manufacturer to review their design, functionality or code."
Qualcomm prepping patches to fix these issues is good news. But what remains to be seen is how fast OEMs receive those patches and issue them to users, and how many users install these patches - unless carriers do so automatically.
"It is now up to the vendors, such as Google, Samsung and Xiaomi, to integrate those patches into their entire phone lines, both in manufacturing and in the market," says Yaniv Balmas, head of cyber research at Check Point. "Our estimation is that it will take a while for all the vendors to integrate the patches into all their phones."
But it's unclear how many in-use Android devices are no longer supported, and thus will be at risk from the Achilles flaws for as long as they continue to be used.