Security flaws in Qualcomm’s chip put billions of Android users at risk

Joanna Estrada
August 9, 2020

Most casual smartphone users probably don't care what processor is featured inside their device. Flashy specs like the display, camera, and battery life are what manufacturers often advertise. It has organized them into six vulnerability entries in the CVE system, a US government-funded database of software security flaws. To that end, the researchers at Check Point have discovered over 400 vulnerable pieces of code within the Digital Signal Processor (DSP) chips found within Snapdragon SoCs used in hundreds of millions of Android devices.

Dubbed "Achilles", the flaw puts millions of Android users at risk.

The discovery of Achilles is particularly significant because it's relatively rare for security experts to report security flaws in DSP chips publicly.

Snapdragon is what's known as a DSP, or digital signal processing, chip. That's a concerning figure.

Altogether, the vulnerabilities can be exploited in three main ways. For instance, apps that let users alter Android's functionality typically have such permissions. This doesn't need any user interaction but gives the ability to exfiltrate data like photos, videos, call-recording, real-time microphone data and location data to the hacker.

Attackers can turn the phone into a flawless spying tool, without any user interaction required - The information that can be exfiltrated from the phone include photos, videos, call-recording, real-time microphone data, Global Positioning System and location data, etc. It's easy to see the potential spying and privacy concerns related to this avenue.

Hackers also gain the ability to render the mobile phone constantly unresponsive making all the information stored on this phone permanently unavailable which is simply a targeted denial-of-service attack.

The most concerning thing isn't the potential vulnerabilities. Well, this makes Apple devices safer. These vulnerabilities are reported to have affected a slew mobile phones. A number of hardware and software package elements tackle a selection of jobs, together with charging qualities and video clip, audio, augmented reality, and other multimedia features. That makes it a highly efficient component to include in smartphones. The company plans to discuss the vulnerability series, which it has codenamed Achilles, today at the online Def Con security event.

Meanwhile, the DSP is a sort of "black box", making it hard for anyone other than a device's manufacturer to access it.

As it seems, though, not much regards were given to the security of the DSP chips, and solving the problem now requires handling the complexities of an entangled and intricate supply chain.

The flaws were discovered by publicly traded cybersecurity provider Check Point Software Technologies Ltd. "It is now up to the vendors, such as Google, Samsung, and Xiaomi, to integrate those patches into their entire phone lines, both in manufacturing and in the market", Balmas said.

Qualcomm has reportedly fixed the vulnerability.

Upon reporting to Qualcomm, the maker has made a patch for these vulnerabilities in DSP, but it takes a long time to reach the end-user devices.

Other reports by Click Lancashire

Discuss This Article