Nearly 50% of all smartphones affected by Qualcomm Snapdragon bugs

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Several security vulnerabilities found in Qualcomm's Snapdragon chip Digital Signal Processor (DSP) chip could allow attackers to take control of more than 40% of all smartphones without user interaction, spy on their users, and create un-removable malware capable of evading detection.

DSPs are system-on-chip units are used for audio signal and digital image processing, and telecommunications, in consumer electronics including TVs and mobile devices.

Despite their complexity and the number of new features and capabilities DSP chips can add to any device, unfortunately, they also introduce new weak points and expand the devices' attack surface.

The vulnerable DSP chip "can be found in nearly every Android phone on the planet, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus, and more," according to Check Point researchers who found these vulnerabilities.

Apple's iPhone smartphone line is not affected by the security issues discovered and disclosed by Check Point in their report.

Check Point disclosed their findings to Qualcomm, who acknowledged them, notified device vendors, and assigned them with the following six CVEs: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209.
Update: Added Qualcomm statement:

It is now up to the vendors, such as Google, Samsung, and Xiaomi, to integrate those patches into their entire phone lines, both in manufacturing and in the market. Our estimations are that it will take a while for all the vendors to integrate the patches into all their phones. Hence, we do not feel publishing the technical details with everyone is the responsible thing to do given the high risk of this falling into the wrong hands. For now, consumers must wait for the relevant vendors to also implement fixes.
 
F

ForgottenSeer 85179

GrapheneOS will remove the whole DSP part:


Also:
Pixels have a dedicated SELinux domain for Google Camera extending the standard untrusted app domain with access to the Hexagon DSP (qdsp_device label) and Pixel Neural Core (airbrush_device). Neural Core is a TPU + IPU combo developed in some kind of collaboration with Samsung.

In AOSP or the stock OS on Pixels, apps only have indirect access to QDSP or the Neural Core is via the high-level NN API
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top