UPDATE (13 August 2020): Official statement from Qualcomm:?¡°Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.¡± ¨C Qualcomm Spokesperson
Original Story (08 August 2020):
Qualcomm's chipsets that power majority of Android smartphones in the world have been found to have some serious security vulnerabilities in a new research. As highlighted in the study, the vulnerabilities allow a hacker to target devices for spying and even extract information from them.
The new security research has been conducted by cyber security solutions expert Check Point. The study finds the security flaws arising from the Digital Signal Processor (DSP) chips in Qualcomm's Snapdragon chipsets. These DSP chips are used for audio signal and digital image processing.
Since Qualcomm Snapdragon is the most widely used processor for smartphones in the world, the new-found security flaws leave around 40% of the world's smartphones vulnerable to such cyber attacks. These include high-end phones from the likes of Samsung, Google, OnePlus and others.
¡°Hexagon SDK is the official way for the vendors to prepare DSP related code,¡± mentions the report. Check Point claims to have discovered ¡°serious bugs¡± in this SDK that further led to ¡°hundreds of hidden vulnerabilities in the Qualcomm-owned and vendors¡¯ code.¡±
¡°The truth is that almost all DSP executable libraries embedded in Qualcomm-based smartphones are vulnerable to attacks due to issues in the Hexagon SDK,¡± the report warns.
Check Point categorises these vulnerabilities into three kinds - spying, data theft and denial-of-service attacks.
Spying through these vulnerabilities let a hacker pry into Android devices without any user input required. These hackers can then even deploy unremovable malware which is also capable of avoiding detection, warns the report. The same malware can also be used for data theft from the device.
Such malware can also render a device useless by a denial-of-service attack that makes the device unresponsive and thus out of use for the user.
For now, Check Point claims to have informed the concerned authorities of the vulnerabilities. In its blog, it said -?
¡°We decided to publish this blog to raise awareness to these issues. We have also updated relevant government officials, and relevant mobile vendors we have collaborated with on this research to assist them in making their handsets safer. The full research details were revealed to these stakeholders."
Although the six identified security flaws have been fixed by Qualcomm, it is difficult for the fixes to reach the devices already in use. That is because the only way for the security patches to reach devices is through mobile vendors, who need to directly deploy them to their users.
So until the fixes reach the user devices, the vulnerabilities hold a potential risk to millions of Android users.