Qualcomm's smartphone chipsets contain over 400 vulnerable pieces of code that could allow attackers to turn a victim's phone into a "perfect spying tool," according to a new report from security firm Check Point Research. Qualcomm's Snapdragon processors power more than 40 percent of Android smartphones on the market today, including phones from Google and Samsung.
Small chip, big consequences – Check Point says it identified the vulnerabilities within the digital signal processor (DSP) in Snapdragon chips. These DSP chips can support enhanced features like quick charging and hi-def audio. Exploiting the flawed code could allow an attacker to worm their way into a phone through a malicious app and then extract sensitive content like photos, videos, and GPS location data. They could also wipe the phone and make it constantly unresponsive, or hide malicious code within the phone that grants them access to the camera and microphone.
UPDATE (August 8, 3 p.m. ET): A Qualcomm spokesperson provided the following statement to Input:
Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.
A new attack vector – The reason why this information is only coming to light now, according to Check Point, is that DSP chips are "black boxes" that are difficult for anyone other than the manufacturer to analyze. It's hard to know what makes them work, which can be problematic because it means security researchers have a hard time testing them for flaws. There's no evidence that any of the flaws identified have ever been exploited.
It's common for hackers to harvest vulnerabilities and sell them on the black market to nation-states or private groups with nefarious intentions. Smartphones have become the de-facto place where people store and access their most sensitive information, so exploits that can allow malicious code to hide quietly in the background are very valuable to the right audience.
Check Point says it's notified Qualcomm and the company has since released patches for all of the vulnerabilities. The only problem there is that since Android is so fragmented, individual smartphone makers need to deliver the patches to their own devices. Qualcomm says it's working with manufacturers to get that done and in the meantime users should only download apps from trusted app stores like the Play Store.
What that also means is that the next time your phone tells you it needs updating you should go ahead and do it. But then, you do that already, right?