According to reports, Android smartphones running on specific Qualcomm digital signal processor (DSP) chips have as many as 400 vulnerabilities. Security research company Check Point found in its research that these vulnerabilities allow hackers to access sensitive information, keep phones unresponsive, and allow malware and other malicious code to completely hide their activities and become immovable. Check Point said that Google, Samsung, LG, Xiaomi, OnePlus and other high-end mobile phones have Qualcomm DSP chips.
Check Point noted on its blog that Qualcomm had been notified of these vulnerabilities earlier. The research company said that chip manufacturers have acknowledged these vulnerabilities and even notified relevant equipment suppliers of the vulnerabilities. It has assigned multiple CVE fixes to equipment vendors, including CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209. Check Point refers to this vulnerability group as Achilles.
Yaniv Balmas, head of network research at Check Point, said in a statement to Market Watch: “Although Qualcomm has solved this problem, unfortunately the story is not over. Hundreds of millions of mobile phones face this security risk. You can be Monitoring. You may lose all data.”
A Qualcomm spokesperson told the publication: “With regard to the Qualcomm Compute DSP vulnerability disclosed by Check Point, we are working to verify the problem and provide appropriate mitigation measures for OEMs. We have no evidence that the vulnerability is being exploited. We encourage End users update. Their devices will come in the form of patches and can only install applications from trusted locations such as the Google Play Store.”
Check Point has not released the complete technical details of these Achilles vulnerabilities because it hopes that mobile vendors will research possible solutions to mitigate the potential risks caused by these vulnerabilities. There are 400 vulnerabilities in Qualcomm’s DSP chip. Attackers can make the phone a perfect spy tool without any user interaction. Hackers can use these vulnerabilities to access photos, videos, call logs, real-time microphone data, GPS and location data, and more.
In addition, the attacker may also keep the mobile phone unresponsive, thereby making all information stored on the phone permanently unavailable. This targeted denial of service attack can enable hackers to prevent users from accessing photos, videos, contact information, etc. Finally, these vulnerabilities allow malware and other malicious code to completely hide their activities and become immovable.
Check Point said that due to the complexity and undefined architecture of DSP chips, they are treated as “black boxes” for management and therefore are “hotbeds” of loopholes. For this reason, mobile suppliers must first rely on chip manufacturers to solve the problem. According to reports, these vulnerabilities affect many mobile phones. A 2019 Strategy Analytics report stated that although the exact number is not yet known, Qualcomm chips have been embedded in nearly 40% of the mobile phones in the market-millions of devices are potentially threatened by Achilles vulnerabilities.
Why are the prices of smartphones in India rising? We discussed this on the weekly technical podcast Orbital, you can subscribe via Apple Podcast, Google Podcast or RSS, download the episode, or click the play button below.