Six serious bugs in Qualcomm’s Snapdragon mobile chipset impact up to 40 percent of Android phones in use, according research released at the DEF CON Safe Mode security conference Friday.
The flaws open up handsets made by Google, Samsung, LG, Xiaomi and OnePlus to DoS and escalation-of-privileges attacks – ultimately giving hackers control of targeted handsets. Slava Makkaveev, a security researcher with Check Point, outlined his discovery and said while Qualcomm has provided patches for the bug, most OEM handset makers have not yet pushed out the patches.
The faulty Qualcomm component is the mobile chip giant’s Snapdragon SoC and the Hexagon architecture. Hexagon a brand name for Qualcomm’s digital signal processor (DSP), part of the SoC’s microarchitecture. DSP controls the processing of real-time request between the Android user environment and the Snapdragon processor’s firmware – in charge of turning voice, video and services such GPS location sensors into computationally actionable data.
Makkaveev said the DSP flaws can be used to harvest photos, videos, call recordings, real-time microphone data, and GPS and location data. A hacker could also cripple a targeted phone or implant malware that would go undetected.
The six flaws are CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209. Using a fuzzing technique against handsets with the vulnerable chipset, Check Point was able to identify 400 discrete attacks.
The prerequisite for exploiting the vulnerabilities is the target would need to be coaxed into downloading and running a rogue executable.
Qualcomm declined to answer specific questions regarding the bugs and instead issued a statement:
“Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.” – Qualcomm Spokesperson
The flaws were brought to Qualcomm’s attention between February and March. Patches developed by Qualcomm in July. A cursory review of vulnerabilities patched in the July and August Google Android Security Bulletins reveal patches haven’t been yet been pushed to handsets. For that reason, Check Point chose not to reveal technical specifics of the flaws.
What technical details that are available can be found in a DEF CON Safe Mode video posted to online. Here Makkaveev shares some technical specifics.
The focus of Check Point’s research was on the Snapdragon Hexagon SoC and the DSP chip architecture and the aDSP and cDSP subsets, the researcher noted during his session.
The researchers further focused on the communications between Android handset CPU and the Qualcomm DSP within the Hexagon framework. Communication between the Android operating environment and the DSP Qualcomm firmware generates data that is stored in a separate library (called skeleton libraries) within a shared memory channel.
The skeleton library acts as the glue between the Android instruction and DSP instructions. Functions inside the skeleton library are a “black box” and proprietary. However, Check Point found the DSP library is accessible to developers via the Qualcomm Hexagon software developers kit (SDK). From their researchers were able to developed instructions to crash, downgrade and execute code within the DSP process.
“Hexagon SDK is the official way for the vendors to prepare DSP related code. We discovered serious bugs in the SDK that have led to the hundreds of hidden vulnerabilities in the Qualcomm-owned and vendors’ code. The truth is that almost all DSP executable libraries embedded in Qualcomm-based smartphones are vulnerable to attacks due to issues in the Hexagon SDK,” researchers noted.
Attacks allow attackers to create persistent DoS conditions on a handset – until the hardware is factory reset. An attack could also include a DSP kernel panic that reboots the phone. And because, according the Check Point, mobile antivirus protection doesn’t scan Hexagon instruction sets, an adversary can hide malicious code within the DSP skeleton library.
“The DSP is responsible for preprocessing streaming video from camera sensors,” researchers wrote. So, “an attacker can take over this flow… The next step is gain privileges of the guest OS.”
In a video demo, posted online, Check Point demonstrated an escalation of privileges attack that allows an attacker to gain control of the targeted system.
“Qualcomm aDSP and cDSP subsystems are very promising areas for security research,” Makkaveev said. “The DSP is accessible for invocations from third-party Android applications. The DSP processes personal information such as video and voice data that passes through the device’s sensors. As we have proven, there are many security issues in the DSP components.”
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.