Detected Vulnerabilities in Qualcomm’s chip puts 40% SmartPhone at risk

Qualcomm based Snapdragon chip DSP (Digital Signal Processor) has been found Several Security Vulnerabilities that attackers could use to control over 40% SmartPhones, monitor their users and inject malware that evade the detection.

DSPs are system-on-chip units, used for audio for signal and digital image processing and telecommunications, in consumer electronics including TVs and mobile phones. These chips can be added to any device. Unfortunately, they can introduce new week points and can expand the devices’ attack surface.

According to Check Point researchers, the vulnerable DSP chips “can be found in nearly every Android phone on the planet, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus, and more. However, Apple’s IPhone SmartPhone line is not affected by the security issues, the researchers’ report say.

The Check Point disclosed their findings to Qualcomm who acknowledge them and notify the device vendors and assigned them with six CVEs that includes: CVEs: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209. As per the researchers, the vulnerabilities allow the attackers to:

Turn the phone into a perfect spying tool, without any user interaction required. The information that can be ex-filtrated from the phone includes photos, videos, call-recording, real-time microphone data, GPS and location data, etc,

Render the mobile phone constantly unresponsive. Making all the information stored on this phone permanently unavailable -including photos, videos, contact details, etc–in other words, a targeted denial-of-service attack,

Use malware and other malicious code can completely hide their activities and become un-removable

Qualcomm has patch the six security flaws found on the DSP chip. However, threat is there since the devices are still vulnerable to attacks.

The researchers did not publish any technical information about the vulnerabilities. They said in the research report, “However, we decided to publish this blog to raise the awareness to these issues. We have also updated relevant government officials, and relevant mobile vendors we have collaborated with on this research to assist them in making their handsets safer. The full research details were revealed to these stakeholders.”

Qualcomm Spokesperson said, “Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”

“Although Qualcomm has fixed the issue, it’s sadly not the end of the story. Hundreds of millions of phones are exposed to this security risk. You can be spied on. You can lose all your data. If such vulnerabilities will be found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time,” said the Head of Cyber Research at Check Point, Yaniv Balmas.

The researchers behind these vulnerabilities will be presented tomorrow at DEF CON 2020 by Check Point Security researcher, Slava Makkaveev.

“It is now up to the vendors, such as Google, Samsung, and Xiaomi, to integrate those patches into their entire phone lines, both in manufacturing and in the market. Our estimations are that it will take a while for all the vendors to integrate the patches into all their phones. Hence, we do not feel publishing the technical details with everyone is the responsible thing to do given the high risk of this falling into the wrong hands. For now, consumers must wait for the relevant vendors to also implement fixes.”