Millions of Android Phones At Risk Due to 'Achilles' Flaw in Qualcomm Chips (gizmodo.com) 36
"Researchers have found that Qualcomm's Snapdragon chip, one of the most widely used in Android phones, has hundreds of bits of vulnerable code that leaves millions of Android users at risk," reports Gizmodo:
To back up a bit, Qualcomm is a major chip supplier to several well-known tech companies. In 2019, its Snapdragon series of processors could be found on nearly 40% of all Android smartphones, including high-profile flagship phones from Google, Samsung, Xiaomi, LG, and OnePlus. Researchers from Check Point, a cybersecurity firm, found the digital signal processor (DSP) in Qualcomm Snapdragon chips had over 400 pieces of vulnerable code. The vulnerabilities, altogether dubbed "Achilles," can impact phones in three major ways.
Attackers would only have to convince someone to install a seemingly benign app that bypasses usual security measures. Once that's done, an attacker could turn the affected phone into a spying tool. They'd be able to access a phone's photos, videos, GPS, and location data. Hackers could potentially also record calls and turn on the phone's microphones without the owner ever knowing. Alternatively, an attacker could choose to render the smartphone completely unusable by locking all the data stored on it in what researchers described as a "targeted denial-of-service attack." Lastly, bad actors could also exploit the vulnerabilities to hide malware in a way that would be unknown to the victim, and unremovable.
Part of why so many vulnerabilities were found is that the DSP is a sort of "black box." It's difficult for anyone other than the manufacturer of the DSP to review what makes them work...
The article notes that Qualcomm has no evidence of the vulnerability being exploited in the wild, adding that the company has "reportedly since fixed the issue."
But they also note that it's still up to individual phone makers to push out the relavant security paches, "which could take some time."
Attackers would only have to convince someone to install a seemingly benign app that bypasses usual security measures. Once that's done, an attacker could turn the affected phone into a spying tool. They'd be able to access a phone's photos, videos, GPS, and location data. Hackers could potentially also record calls and turn on the phone's microphones without the owner ever knowing. Alternatively, an attacker could choose to render the smartphone completely unusable by locking all the data stored on it in what researchers described as a "targeted denial-of-service attack." Lastly, bad actors could also exploit the vulnerabilities to hide malware in a way that would be unknown to the victim, and unremovable.
Part of why so many vulnerabilities were found is that the DSP is a sort of "black box." It's difficult for anyone other than the manufacturer of the DSP to review what makes them work...
The article notes that Qualcomm has no evidence of the vulnerability being exploited in the wild, adding that the company has "reportedly since fixed the issue."
But they also note that it's still up to individual phone makers to push out the relavant security paches, "which could take some time."
Could take some time... (Score:5, Insightful)
But they also note that it's still up to individual phone makers to push out the relavant security paches, "which could take some time."
...Like forever, in the case of the vast majority of Android phones in User's hands.
Re: Could take some time... (Score:2)
Not forever!
That is totally unfair!
It'll happen way before the end of the heat death of the universe! [youtu.be]
Re: (Score:1)
Re: (Score:2)
The patches will come via Google Play for all supported handsets (most of them) and Google will be blocking any apps that try to use this exploit anyway.
Re: (Score:2)
The patches will come via Google Play for all supported handsets (most of them) and Google will be blocking any apps that try to use this exploit anyway.
Prove it.
Re: (Score:2)
Check Point Research decided not to publish the full technical details of these vulnerabilities until mobile vendors have a comprehensive solution to mitigate the possible risks described.
Probably in the baseband, which means there's an infinite number of further vulns there to be exploited. Those things a just a collection of mostly-functional IP cores glued together with code-like-it's-1983 duct tape, finding vulns in one is about as easy as finding weed in a school locker room.
How to do all this without any flaws or hacks: (Score:2)
Just be Google.
Or get an NSL, of course.
Flaw of a regular app (Score:2)
Isn't that what all "apps" do on phones? Not trying to be a smartass here, but I had to use an Android phone for a little
Re: (Score:2)
The other articles I saw on this mentioned it was a bug with the DSP used with video decode and that the vulnerability could be trigger just by going to a website with autoplay video. "The vulnerabilities can be exploited when a target downloads a video or other content that’s rendered by the chip." [arstechnica.com]
Re:Flaw of a regular app (Score:4, Informative)
No. The key phrase is: "seemingly benign app that bypasses usual security measures"
In other words it relies on other zero day vulnerabilities to get root before it can even start screwing with the DSP code. If it has root you are screwed anyway, it can already turn your phone into a spy tool.
Since you say you have barely used Android I'll clarify that normal apps don't have root, and can't get root. They can't even ask the user for it, because the user can't get it either. Literally the only way is to use an exploit or unlock your phone and screw with the ROM image.
Re: (Score:2)
And to be clear, if an app has root WTF does it need further security vulnerabilities for.
Re: (Score:2)
In other words it relies on other zero day vulnerabilities to get root before it can even start screwing with the DSP code. If it has root you are screwed anyway
i might be wrong but found no statement in the references that root is necessary, just access to the dsp. as i understand this any app that e.g. processes video may legitimately have access to the dsp, and the problem are then the vulnerabilities in the dsp itself.
the don't really clarify what level of access to the dsp is necessary. if these vulns can be exploited by merely feeding it poisoned data in normal operation then that's serious.
Re: (Score:2)
Video decoding doesn't use the DSP, it uses the GPU and only via an API, not directly. Only apps with root can directly access the DSP.
Re: (Score:1)
Google changed the default to deny all permissions several years back. Apps now start off with no permissions, and specifically have to ask for you to enable permissions that they desire. I regularly deny location, storage access, contact list access, etc. on all sorts of apps for which I can't think of any possible reason why it would need those permissi
Re: (Score:3)
This is incorrect. For example, internet access rights are granted automatically, and user cannot deny app a right to access the internet without root.
Google changed SOME permissions to be auto-deny. Not even close to "all".
Re: (Score:2)
While internet access is enabled by default, my phone does allow me to block it without root. Now maybe it's Oxygen OS rather than Android that's doing it, but it's right in the settings:
Apps and notifications -> data usage control -> select the app.
You get a choice of: allow/forbidden/wifi only/data only
Beyond that, there are many proxy and VPN based apps you can install that run without root and allow blocking specific apps.
Re: (Score:2)
That is OnePlus' Oxygen OS. Android does not allow this, as this would be used for ad blocking.
And yes, there is a way to have an internal VPN tunnel for blocking internet access. Google doesn't allow this on play store to my knowledge. I block like this with Blokada, and its makers routinely complain that they cannot get into Play Store.
Re: (Score:2)
Re: (Score:2)
This is some serious hair splitting just to be technically correct.
I tip my hat to you sir.
Give me permission to hack you! (Score:2)
Attackers would only have to convince someone to install a seemingly benign app that bypasses usual security measures.
Not this shit again. "Hundreds of bits of vulnerable code" if you open the front door...
Re: (Score:2)
indeed, but the point is that any app with legitimate access to the dsp might use that to get unauthorized access or brick the phone. it essentially renders the permission system moot.
it is a considerable screw up. app vendors can do little until the provider sanitizes those hexagon sdk's libraries first. users should be extra wary of the permissions they give for a while.
Hundreds of bits? (Score:3)
That's dozens of bytes!
Not a problem (Score:2)
It's only a little glitch in the coming technocracy of chipping for tracking and controlling people and all their related information.
We have China to show us how.
Do not pay attention to all the other endless tech industry glitches behind the curtain. This don't look instruction is especially for tech people. Just keep your eyes on the $$$. The fails sum doesn't really add up to a massive fail. We have Murphy to prevent it.
Root required? (Score:2)
Attackers would only have to convince someone to install a seemingly benign app that bypasses usual security measures.
This is very ambiguous. "Usual security measures"? That could mean anything from "you have to allow the app access to camera/storage/mic/etc." to "only works on rooted phones." Without more information it's difficult to know if this a serious problem (the former case) or a big nothing burger (the latter). I mean, seriously, if you have the technical chops to root your phone you're probably going to be competent enough to avoid obvious malware or the superfluous apps that sometimes hide it.
Re: (Score:3)
The ars [arstechnica.com] article linked above [slashdot.org] gives some insights in the first couple of paragraphs.
It appears that in this context "usual security measures" means the app permission system. It seems that even a web video could jump the data/code barrier in the DSP and that if someone wanted to they could also do it silently from an app with no permissions. It's as bad as stagefright or maybe even worse.
Re: Root required? (Score:1)
That is not how Android Security works. Seriously fix up. A quick Google on your iPhone for Google Play protect is probably a good start. It is much better than an Apple engineer checking to see if if an Application may compete with its own products and saying it's good to go.
A none story (Score:2)
The Android apocalypse still fails to happen again. This is a story of a fixed issue. That relies both on the company lying, a user installing an app outside the play store, on an unpatched phone with one companies CPU(sic).
This is just getting dumb. There are vunrabilies all the time.
Re: (Score:2)
shared-memory DSP baseband vulnerabilities not new (Score:2)
back in 2003 i bought around 9 different smartphones as part of the xanadux xda handhelds research (long before xda-developers morphed into an android-exclusive forum). most of them were HTC smartphones (Blueangel, Universal, Wallaby), one was the HP iPAQ hw6915 (designed under commission *by* HTC), and the last one was an iconic samsung phone with a slide-out keyboard.
all of them were exceptionally well-designed, having a separate GSM/3G chipset, with one notable exception: a low-cost smartphone that shoc
Re: (Score:2)
That's why I love (and continue) to use my Nokia N900. Its got a totally separate baseband setup that has no access to the main memory and main filesystem.
kr00k (Score:1)
https://www.eset.com/int/kr00k... [eset.com]
Dig in and there is a python script which I tried on my MBP but if fails to run - I didn't try all that hard to get it working...
suzieq-2:~ betsuin$
File "./kr00k", line 57
print(prefix + msg, *args)
____________________^
SyntaxError: invalid syntax
suzieq-2:~ betsuin$
Mixed bag (Score:2)
Still, getting root on my existing ROM would mean not having to set it back up and/or look for a ROM that supports my phone (assuming LineageOS doesn't have something recent).