What happens when holes perfect for spyware are found in the engine room of millions of Qualcomm-based phones? Let’s find out

DEF CON In July, the makers of millions of smartphones powered by Qualcomm’s Snapdragon system-on-chips received mitigation recommendations to address a bevy of security flaws in their products, all introduced by Qualcomm’s technology.

Those software-level vulnerabilities, which apparently affect potentially more than 40 per cent of cellphones worldwide, were outlined this week at the now-virtual DEF CON hacking conference.

Infosec experts at Check Point Research on Thursday reported finding more than 400 programming blunders in the code used to control the Digital Signal Processing (DSP) cores in Qualcomm’s Snapdragon chip families. These engines accelerate the processing of images, audio, and other information in a staggering number of Android cellphones.

According to Check Point’s Slava Makkaveev, who spoke of the vulnerabilities at DEF CON, the flaws are linked to Qualcomm’s Hexagon SDK, which is used to program the DSP engines to perform tasks.

Finding bugs in code

As the world descends into madness, it’s good to see some things never change: Monthly Android patches

READ MORE

From what we can tell, it sounds as though Qualcomm’s code-signature checks can be bypassed, allowing malicious Android apps to execute arbitrary instructions on the DSP and, from that position, gain control of the whole device.

Technical details have been withheld from the public to give gadget makers time to implement and roll out Qualcomm’s fixes, which will take time. Check Point claimed the flaws can be abused by rogue applications to siphon data from devices, eavesdrop on communications, crash handhelds, and execute arbitrary code.

Not all the bugs identified are dangerous though they’re enough to warrant six separate CVEs: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209. Collectively, Check Point is calling its Qualcomm probe Achilles, ’cause that’s a bit more memorable than a fistful of CVEs.

In a statement to The Register, a Qualcomm spokesperson claimed the US chip designer is committed to providing technology that supports security and privacy. “Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs,” the spinner said. “We have no evidence it is currently being exploited.”

Qualcomm’s spokesperson urged mobile device users to apply software updates when available, and to only install applications from trusted sources, citing the Google Play Store for some reason. ®