Monday, August 10th 2020
Vulnerabilities in Qualcomm Snapdragon's DSP May Render 1 Billion Android Phones Vulnerable to Hacking
Vulnerabilities in Qualcomm's DSP (Digital Signal Processor) present in the company's Snapdragon SoCs may render more than a billion Android phones susceptible to hacking. According to research reported this week by security firm Check Point, they've found more than 400 vulnerabilities in Snapdragon's DSP, which may allow attackers to monitor locations, listen to nearby audio in real time, and exfiltrate locally-stored photos and videos - besides being able to render the phone completely unresponsive.
The vulnerabilities (CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209) can be exploited simply via a video download or any other content that's rendered by the chip that passes through its DSP. Targets can also be attacked by installing malicious apps that require no permissions at all. Qualcomm has already tackled the issue by stating they have worked to validate the issue, and have already issued mitigations to OEMs, which should be made available via software updates in the future. In the meantime, the company has said they have no evidence any of these flaws is being currently exploited, and advise all Snapdragon platform users to only install apps via trusted locations such as the Play Store.
Source:
Ars Technica
The vulnerabilities (CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209) can be exploited simply via a video download or any other content that's rendered by the chip that passes through its DSP. Targets can also be attacked by installing malicious apps that require no permissions at all. Qualcomm has already tackled the issue by stating they have worked to validate the issue, and have already issued mitigations to OEMs, which should be made available via software updates in the future. In the meantime, the company has said they have no evidence any of these flaws is being currently exploited, and advise all Snapdragon platform users to only install apps via trusted locations such as the Play Store.
29 Comments on Vulnerabilities in Qualcomm Snapdragon's DSP May Render 1 Billion Android Phones Vulnerable to Hacking
I gave up on them years ago.
Now it's a good time to see which vendors actually care to update devices they dropped support for.
www.embedded.com/qualcomm-opens-up-on-its-hexagon-dsp/
en.globes.co.il/en/article-dsp-group-teams-with-qualcomm-on-home-automation-solution-1000979922
Plus it's not like current home automation devices have a track record of being secure.
So was Intel until they had to patch the unsecured flaws that would allow similar exploits.
But more to the point, it wouldn't surprise me if the NSA or whatever was already aware of these. What would surprise me is if they were intentionally engineered. It doesn't really work like that.
Maybe you can forward your reply to Snowden too, I'm sure he'll be interested also.
Also arguing that the data leaks would be noticed first when Quallcom say that the flaw is not in use so far are a bit contradictory don't you think?
And you do know that they have rubber stamp secret court orders locking down release of any crap the US spooks pull right? And that it was already pretty damn bad before Trump..
And that it has been proven and confirmed that big companies are all too glad pulling stuff themselves and working along with government agencies.
That, and he doesn't really communicate outside of twitter these days, so no can do.I'm arguing that researchers can look at these vulnerabilities and tell you based on how they work whether they are manmade or accidental. Stack overflows, as a primitive example, are almost never intentional.I'm well aware, but thanks for educating me.
Wonder how MS will fix this :-)