Android smartphones running on a specific Qualcomm digital signal processor (DSP) chip are reported to have as many as 400 vulnerabilities. Security research firm Check Point in its research discovered that these vulnerabilities allow hackers to access sensitive information, render the mobile phone constantly unresponsive, and allow malware and other malicious code to completely hide their activities and become un-removable. Check Point says that Qualcomm DSP chips are found in high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and more.
Check Point, on its blog, notes that Qualcomm was told of these vulnerabilities earlier on. The research firm says that the chip manufacturer has acknowledged them and even notified the relevant device vendors regarding the vulnerabilities. It assigned several CVE fixes to device vendors including CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209. Check Point is dubbing this vulnerability group as Achilles.
In a statement to Market Watch, Yaniv Balmas, head of cyber research at Check Point, commented "Although Qualcomm has fixed the issue, it's sadly not the end of the story. Hundreds of millions of phones are exposed to this security risk. You can be spied on. You can lose all your data."
A Qualcomm spokesperson told the publication, "Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store."
Check Point has not published full technical details of these Achilles vulnerabilities as it wants mobile vendors to work on possible solutions to mitigate the possible risks these vulnerabilities cause. The 400 vulnerabilities found inside the Qualcomm DSP chip can allow attackers to turn the phone into a perfect spying tool, without any user interaction required. Hackers can gain access to photos, videos, call-recording, real-time microphone data, GPS and location data, and much more by exploiting these vulnerabilities.
Furthermore, attackers may also be able to render the mobile phone constantly unresponsive making all the information stored on this phone permanently unavailable. This targeted denial-of-service attack can enable hackers to block the user from accessing photos, videos, contact details, and more. Lastly, these vulnerabilities allow malware and other malicious code to completely hide their activities and become un-removable.
Check Point says that DSP chips are ‘breeding grounds' for vulnerabilities as they are being managed as “Black Boxes” due to the complex nature of these chips and their undefined architecture. Due to this reason, mobile vendors have to rely on chip manufacturers to address the issue first. These vulnerabilities are reported to have affected a slew mobile phones. While the exact number is not known, Qualcomm chips are embedded into nearly 40 percent of mobile phones in the market, a 2019 Strategy Analytics report claims - leaving millions of devices potentially at risk to the Achilles vulnerabilities.
Why are smartphone prices rising in India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.