Over 400 vulnerabilities in Qualcomm chipsets have put billions of Android users at risk: Researchers

Researchers at Checkpoint recently discovered that Qualcomm chipsets are ridden with over 400 vulnerabilities, which in turn, puts over billions of Android smartphone users all over the world, at risk.

Over 40 percent of smartphones in the world use Qualcomm chipsets.

As per the researchers, the vulnerabilities have been found within code sections of the Qualcomm Snapdragon digital signal processor (DSP) chip and can be exploited when a user downloads a video or any other content that’s rendered by the chip. Another way the vulnerability can be misused is by installing malicious apps that require no permissions at all.

Once that's in place, attackers can monitor a user's location, listen on them, access their photos and videos, among other things. In some cases, according to the researchers, vulnerabilities could also allow an attacker to a render a user's phone completely unresponsive.

“While DSP chips provide a relatively economical solution that allows mobile phones to provide end users with more functionality and enable innovative features—they do come with a cost. These chips introduce new attack surface and weak points to these mobile devices. DSP chips are much more vulnerable to risks as they are being managed as ‘Black Boxes’ since it can be very complex for anyone other than their manufacturer to review their design, functionality or code,” the researchers said in the brief about the vulnerability.

For the uninitiated, a DSP is one of the function of the system on chip (SoC), which in Qualcomm's case is called Snapdragon. DSP is responsible for a myriad of tasks like charging abilities and video, audio, augmented reality, and other multimedia functions.

CheckPoint reveals in its blog, that Qualcomm was notified about the vulnerabilities earlier on, and it acknowledged the issue and apprised relevant device vendors regarding the vulnerabilities. It assigned several CVE fixes to device vendors including CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.

Meanwhile, Qualcomm has also responded to the issue and it says that till now there is no evidence that shows that any of the reported vulnerabilities have been exploited.

"Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store," Qualcomm told The Forbes. 

 

from Firstpost Tech Latest News https://ift.tt/3iqEDEE