Dangerous bugs in Qualcomm chips? If you are looking for a new one smartphone you will likely focus on price, design, and features first. Most likely not the silicon inside that powers your new smartphone. However, researchers have found that Qualcomm's Snapdragon chip, one of the most commonly used chips in Android phones, contains hundreds of vulnerable bits of code that put millions of Android users at risk.
Qualcomm is a major chip supplier to several well-known technology companies. In 2019, the Snapdragon processor series was found on almost 40% of all Android smartphones. Including high profile flagship phones from Google, Samsung, Xiaomi, LG and OnePlus. Researcher of Check Point, a cybersecurity company, discovered that the digital signal processor (DSP) in Qualcomm Snapdragon chips contained over 400 vulnerable codes. The vulnerabilities, collectively known as “Achilles”, can affect phones in three ways.
How can hackers exploit the vulnerability?
Attackers would only have to convince someone to install a seemingly harmless app that bypasses the usual security measures. Once this is done, an attacker can turn the affected phone into a spying tool. You can access photos, videos, GPS and location data from a phone. Hackers could also potentially record calls and turn on the phone's microphones without the owner ever knowing. Alternatively, an attacker could make the smartphone completely unusable by blocking all of the data stored on it in what researchers call a “targeted denial-of-service attack”. Finally, hackers could also exploit the vulnerabilities to hide malware in a way that would be unknown to the victim.
You might also be interested in:
- Apple patents groundbreaking new iPad technology
- Android 11 - All previously known new features
- eID - Samsung, BSI, Bundesdruckerei and Telekom Security Partner bring national ID to your smartphone
Why were so many bugs found?
The reason why so many security flaws have been found is that the DSP is a kind of "black box". It is difficult for anyone but the manufacturer of the DSP to verify exactly how it works. This is usually a good thing as it makes it harder to hack. Conversely, however, this also means that security researchers cannot simply test them. As a result, they often contain several unknown security vulnerabilities. DSPs enable many of the innovative functions that we are used to from smartphones. This includes things like fast charging, various multimedia features like video, HD recording, and advanced AR. This makes the DSP an extremely efficient and important component. Unfortunately, that is exactly what hackers can do to control your smartphone.
Check Point has shared its findings with Qualcomm, government officials and affected vendors. However, the company said it will not release the details of the Achilles bug as millions of devices may still be at risk. Although Qualcomm has reportedly fixed the problem in the meantime, it doesn't mean your Android smartphone is automatically safe. It is up to the phone manufacturers to forward the relevant security patches to their customer base. This may take some time.
In a statement to CNET, Qualcomm said it had "worked diligently to validate the problem and provide appropriate remedial action to smartphone manufacturers". Although the company said it had found no evidence of the Achilles vulnerability being exploited, it recommended that Android users update their phones as soon as patches are available and only install verified apps from official app stores.