17 votes

Achilles: Over 400 vulnerabilities found in Qualcomm’s Snapdragon DSP chip, threatening the security of hundreds of millions of Android devices

4 comments

  1. [2]
    ThiccPad
    Link
    Attackers can turn the phone into a perfect spying tool, without any user interaction required – The information that can be exfiltrated from the phone include photos, videos, call-recording,...

    Qualcomm provides a wide variety of chips that are embedded into devices that make up over 40% of the mobile phone market, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and more.

    More than 400 vulnerable pieces of code were found within the DSP chip we tested, and these vulnerabilities could have the following impact on users of phones with the affected chip:

    • Attackers can turn the phone into a perfect spying tool, without any user interaction required – The information that can be exfiltrated from the phone include photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
    • Attackers may be able to render the mobile phone constantly unresponsive – Making all the information stored on this phone permanently unavailable – including photos, videos, contact details, etc – in other words, a targeted denial-of-service attack.
    • Malware and other malicious code can completely hide their activities and become un-removable.

    Check Point Research decided not to publish the full technical details of these vulnerabilities until mobile vendors have a comprehensive solution to mitigate the possible risks described.

    We strongly recommend organizations protect their corporate data on their mobile devices by using mobile security solutions. SandBlast Mobile provides real-time threat intelligence and visibility into the mobile threats that could affect businesses, and provides complete protection against the risks detailed in this blog, associated with the Quallcomm vulnerabilities.

    A lot of words but no actual details.

    • No affected DSP models listed
    • Attack vector?

    Android fragmentation will leave many phones unpatched.

    That iphone se2 is looking pretty good.

    7 votes
  2. Akir
    Link
    And of course, it's all because of these black boxed designs. There is a rule of thumb that works well with hardware of all types. The worse the documentation is, the more insecure it is. And if...

    And of course, it's all because of these black boxed designs.

    There is a rule of thumb that works well with hardware of all types. The worse the documentation is, the more insecure it is. And if there isn't enough documentation to write a driver for it, it's probably bad enough to take control of the entire system.

    6 votes
  3. hhh
    Link
    Is there anything end-users can do to try and stay safe? If "downloading videos" includes just loading them on a website, would you have to stick to trustworthy, ad-free sites only? Would not...

    Is there anything end-users can do to try and stay safe? If "downloading videos" includes just loading them on a website, would you have to stick to trustworthy, ad-free sites only? Would not downloading any apps help? Is there any way to check if a given phone's manufacturer is planning on updating it, or to see if an update patches it? Is it safe to use or have banking apps installed?

    4 votes