Qualcomm chip vulnerability puts millions of phones at risk

Smartphone devices from the likes of Google, LG, OnePlus, Samsung and Xiaomi are in danger of compromise by cyber criminals after 400 vulnerable code sections were uncovered on Qualcomm’s Snapdragon digital signal processor (DSP) chip, which runs on over 40% of the global Android estate.

The vulnerabilities were uncovered by Check Point, which said that to exploit the vulnerabilities, a malicious actor would merely need to convince their target to install a simple, benign application with no permissions at all.

The vulnerabilities leave affected smartphones at risk of being taken over and used to spy on and track their users, having malware and other malicious code installed and hidden, and even being bricked outright, said Yaniv Balmas, Check Point’s head of cyber research.

Although they have been responsibly disclosed to Qualcomm, which has acknowledged them, informed the relevant suppliers and issued a number of alerts – CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209 – Balmas warned that the sheer scale of the problem could take months or even years to fix.

“Although Qualcomm has fixed the issue, it’s sadly not the end of the story,” he said. “Hundreds of millions of phones are exposed to this security risk. You can be spied on. You can lose all your data. Our research shows the complex ecosystem in the mobile world. With a long supply chain integrated into each and every phone, it is not trivial to find deeply hidden issues in mobile phones, but it’s also not trivial to fix them.

“Luckily this time, we were able to spot these issues. But we assume it will take months or even years to completely mitigate them. If such vulnerabilities are found and used by malicious actors, there will be tens of millions of mobile phone users with almost no way to protect themselves for a very long time.”

Balmas added: “It is now up to the vendors to integrate those patches into their entire phone lines, both in manufacturing and in the market. Our estimation is that it will take a while for all the vendors to integrate the patches into all their phones.”

He said the DSP vulnerabilities represented a “serious” new attack frontier for cyber criminals, introducing new attack surfaces and weak points to the affected devices. This is because DSP chips are managed as so-called “Black Boxes” by Qualcomm and it can be very complex for anyone other than Qualcomm to review their design, functionality or code. This makes them notably more vulnerable to risks.

At this time, said Balmas, Check Point did not feel that publishing the technical details of the vulnerabilities was a responsible action, given the high risk of the details being used to create exploits.

“For now, consumers must wait for the relevant vendors to also implement fixes,” he said. “Check Point offers protection for these vulnerabilities with our mobile protection solution.”

Balmas and his team have outlined their research on Qualcomm’s chips in a paper entitled DSP Gate, which is being presented at Def Con 2020, which this year is being run online, because of the Covid-19 pandemic, as Def Con Safe Mode.

A Qualcomm spokesperson said: “Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”