Qualcomm has confirmed the discovery of a massive flaw in their smartphone chipsets which leaves handsets completely exposed to hackers.
Discovered by Check Point Security, the flaw in the Snapdragon DSP found in most Android handsets would let hackers steal your data, install impossible to find spying software or completely brick your handset.
Check Point publicly revealed the flaw at Pwn2Own, revealing that Qualcomm’s security around tampering with the DSP in Snapdragon handsets was easily bypassed, with 400 exploitable flaws found in the code.
For security reasons, the cDSP is licensed for programming by OEMs and by a limited number of third-party software vendors. The code running on DSP is signed by Qualcomm. However, we will demonstrate how an Android application can bypass Qualcomm’s signature and execute privileged code on DSP, and what further security issues this can lead to.
Hexagon SDK is the official way for the vendors to prepare DSP related code. We discovered serious bugs in the SDK that have led to the hundreds of hidden vulnerabilities in the Qualcomm-owned and vendors’ code. The truth is that almost all DSP executable libraries embedded in Qualcomm-based smartphones are vulnerable to attacks due to issues in the Hexagon SDK. We are going to highlight the auto generated security holes in the DSP software and then exploit them.
Dubbed DSP-gate, the exploit allowed any app installed on a vulnerable handset (which are mainly Android devices) to take over the DSP and then have free rein on the device.
Qualcomm has patched the issue, but unfortunately due to the fragmented nature of Android, it is unlikely the fix will reach most handsets.
“Although Qualcomm has fixed the issue, it’s sadly not the end of the story,” Yaniv Balmas, head of cyber research at Check Point, said, “hundreds of millions of phones are exposed to this security risk.”
“If such vulnerabilities are found and used by malicious actors,” Balmas added, “there will be tens of millions of mobile phone users with almost no way to protect themselves for a very long time.”
Fortunately, Check Point has not published the full details of DSP-gate yet, meaning there may be some time before hackers start exploiting it in the wild.
In a statement Qualcomm said:
“Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”