Qualcomm chipsets are used in a wide range of smartphones, tablets, and other devices. The company's chipsets power millions of devices across the world. But even the most powerful chipsets can be prone to flaws. A new vulnerability has been discovered in Qualcomm's chipsets that could allow an attacker to gain root access on the device. The flaw affects 46 Qualcomm chipsets which are currently used in several smartphones, tablets, laptops, and smartwatches.
The security bug (CVE-2018-11976) can enable an attacker to gain access to private data and even encryption keys stored in the Qualcomm Secure Execution Environment (QSEE). Qualcomm has patched the flaw earlier this month, tagging it as 'critical'.
The flaw was first discovered in March last year by Keegan Ryan, a security researcher with NCC Group, as reported by ZDNet. Ryan has also published a white paper, explaining the flaw. He claims he was able to grab private security keys using a rooted Nexus 5X smartphone.
Google has added the fix as a part of its April 2019 security patches, but Android manufacturers are known to be lazy about pushing security patches to its consumers. This means a large number of Android devices using these Qualcomm chipsets are still prone to the security vulnerability.
The Qualcomm Security Executive Environment (QSEE) offers a safe environment to process critical data including private encryption keys and passwords. Only the app that stored the data in QSEE can access it, preventing malicious apps from accessing the sensitive data.
QSEE was created to prevent anyone from gaining complete access to a device, but the latest security flaw defeats that purpose entirely. To exploit the vulnerability, an attacker needs root access on a device which isn't quite impossible.
The flaw affects popular Qualcomm chips used on smartphones such as: Snapdragon 200 series, Snapdragon 400 series, Snapdragon 625, Snapdragon 660, Snapdragon 670, Snapdragon 710, Snapdragon 820, Snapdragon 835, and Snapdragon 845. Qualcomm has listed all the affected chipsets in its security bulletin.
Ryan said he has notified Qualcomm about the flaw last year. Earlier this month, Qualcomm had patched the vulnerability and it's now up to device manufacturers to quickly deploy Google's Android April 2019 security update.
In case you own a device that uses any of these 46 affected Qualcomm chips, make sure you upgrade to the Android April 2019 security patch as soon as it's made available by your phone's manufacturer.