Our mobile phones are home to a vast amount of personal information, including photos, videos, call recordings, contacts, location data, and more. That’s why any security holes found in those phones can be problematic, especially if an attacker is able to exploit those flaws. A new report by cyber threat intelligence provider Check Point Research explains how vulnerabilities found in a chip in many Android phones could allow hackers to spy on users.
SEE: Top Android security tips (free PDF) (TechRepublic)
In its report “Achilles: Small chip, big peril,” Check Point described how it discovered more than 400 security flaws in a Snapdragon Digital Signal Processor (DSP) chip made by Qualcomm Technologies. Devised as a system on a chip, a DSP contains hardware and software designed to optimize such phone features as charging abilities, multimedia experiences, and audio.
Qualcomm is a common name in the mobile arena as its chips are embedded into phones from Google, Samsung, LG, Xiaomi, OnePlus, and other Android vendors. iPhones are not affected by these flaws, according to Check Point.
The DSP flaws discovered by Check Point could help hackers turn targeted phones into their own spying devices by obtaining such information as photos, videos, call recordings, real-time microphone data, and GPS and location data. Further, attackers could render a phone unresponsive and unusable by making all of this stored information unavailable to the owners. The malware implanted by exploiting the flaws could also be unremovable.
Despite the risk posted by these vulnerabilities, Check Point hasn’t yet spotted any real-world exploits.
“We have not been able to identify any usage of these exploits in the wild,” Check Point public relations head Ekram Ahmed told TechRepublic. “This of course doesn’t mean they haven’t been used, but that we haven’t spotted them in our telemetry.”
Check Point disclosed its findings to Qualcomm, which then notified the various device makers. Qualcomm was able to fix the vulnerabilities on its end and assigned them the following CVEs: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.
A Qualcomm spokesperson shared the following statement with TechRepublic:
“Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”
“Although Qualcomm has fixed the issue, it’s sadly not the end of the story,” Yaniv Balmas, head of cyber research at Check Point, said in a press release. “Hundreds of millions of phones are exposed to this security risk. You can be spied on. You can lose all your data. Our research shows the complex ecosystem in the mobile world. With a long supply chain integrated into each and every phone, it is not trivial to find deeply hidden issues in mobile phones, but it’s also not trivial to fix them.”
Qualcomm’s fixes are only the first step. Now, the mobile vendors need to step in to apply and roll out the necessary patches to their users. As such, Check Point said it won’t reveal the full details on the vulnerabilities until the mobile vendors have deployed a comprehensive way to resolve them. And that may take a while.
“We assume it will take months or even years to completely mitigate it,” Balmas said. “If such vulnerabilities will be found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time. It is now up to the vendors, such as Google, Samsung, and Xiaomi, to integrate those patches into their entire phone lines, both in manufacturing and in the market.”