Researchers have discovered that Qualcomm’s Snapdragon SoCs – more specifically, their Digital Signal Processor units – are marred by 400 vulnerabilities. Obviously, this is a very bad thing, since these chips are used in tons of popular Android devices (they make up nearly half of the mobile phone market). The security lapses allow potential attackers to steal all sorts of juicy data, such as photos, call recordings, and GPS location. Attackers can even use the vulnerabilities to brick Snapdragon phones, or throw in permanent malware.
“More than 400 vulnerable pieces of code were found within the DSP chip we tested,” wrote Check Point Research, “and these vulnerabilities could have the following impact on users of phones with the affected chip:
- Attackers can turn the phone into a perfect spying tool, without any user interaction required – The information that can be exfiltrated from the phone include photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
- Attackers may be able to render the mobile phone constantly unresponsive – Making all the information stored on this phone permanently unavailable – including photos, videos, contact details, etc – in other words, a targeted denial-of-service attack.
- Malware and other malicious code can completely hide their activities and become un-removable.”
Qualcomm already knows about this and has patches prepared, but according to Ars Technica’s coverage, Google has remained mum on when they’ll be issued to the millions of Android devices out there.
“Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs,” wrote Qualcomm officials. “We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”