Attacks on specific chips or chipsets usually have wide reaching implications. Devices tend to use off the shelf chips inside rather than develop their own for a number of reasons. For Android phones the most popular processor chip family is the Qualcomm Snapdragon family of system on a chip (SoC). The Snapdragon is used in phones made by Samsung, Google, LG, and Xiaomi, to name a few. Recently at the DEFCON Safe Mode security conference, researchers from Check Point security revealed 6 critical flaws in the popular Snapdragon SoC that open nearly 40% of smartphones to attack.
Snapdragon is a SoC, meaning it contains various embedded components instead of just being a traditional processor with a single task. One component it embeds is the digital signal processor (DSP), which is responsible for turning data from various sensors into digital data that the operating system can work with. The DSP is where the researchers focused their efforts after discovering a software development kit (SDK) for the component was available. The SDK is available for legitimate software to utilize when it requires functionality that the DSP provides. The researchers instead were able to use it to get a clearer understanding of how to interface with the DSP, which normally operates like a black box to external software.
The researchers were able to develop their own instructions for the DSP that would allow them to do things like start a persistent DoS attack only fixable via a complete factory reset. They were also able to demonstrate a privilege escalation attack on the system, allowing them to completely take over the handset. Once the system is compromised in this manner further malware would be able to completely hide its activity and become un-removable. In order to perform these attacks, the researchers say that a user needs to be tricked into running a malicious executable. This might not be too difficult as the code can be embedded into legitimate looking apps. Normal phone virus scanners won’t detect the presence of malicious code because they don’t scan the SDK instruction sets.
Qualcomm was notified about the vulnerabilities between February and March of this year according to the researchers. Patches to the vulnerable components were developed in July but do not appear to have been pushed to handsets yet. Users of the affected devices should watch for future updates to ensure that their devices do not remain vulnerable to the attacks.
Qualcomm Bugs Open 40 Percent of Android Handsets to Attack | Threatpost