Recently Google rolled out an update to fix critical security and vulnerability issues on Android devices. However, a report indicates that more than 400 vulnerable pieces of codes were found on the DSP of Qualcomm’s chipset. If left unattended, it says, could turn the smartphones into a spying tool, and make hackers install malware.
Security agency Check Point has recently carried out research named “Achilles”. In this, they reportedly performed an in-depth security review of a DSP chip on Qualcomm Technologies’ AP (Applications Processor) and found vulnerabilities hidden inside the Hexagon DSP of a Qualcomm Snapdragon SoC.
For starters, DSP is a Digital Signal Processor. It is one of the important components to carry out real-time requests between users and the firmware. Those are image, audio and voice processing, neural network calculations, camera streaming, GPS positioning and more.
What is a privilege escalation attack?
The vulnerabilities found are codenamed CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209. Basically they seemed to be prone to DoS(Denial of Service) or privilege escalation attacks.
It is a network attack that is used to obtain unauthorized access to systems within the security perimeter. Once in, the attacker can take control of the target device and make it a spying tool. They can make the device practically useless, or use malware to hide his activities inside the phone which can become non-removable.
Are DSPs that vulnerable?
The report further said that the attacker can gain access to personal data. This includes photos, videos, call-recording, GPS location data, microphone data and more. Then, they only need to induce users to click on an executable file and gain access to exploit them.
Once this is successful, he can create a permanent Denial of Service sabotaging the device. To put things into perspective, he/she can brick the device, destroy the firmware inturn making it useless.
Check Point believes that DSPs have a Black Box like scenario wherein it becomes very complex for non-manufacturer to analyse it. Hence, despite being providing various solutions at a cheaper cost, DSPs come with a weaker link that requires vendors, manufacturers, and security analysts to work in conjunction.
We all know that Qualcomm Snapdragon chips power most of the Android flagships with almost 40% overall market share according to reports. With android already being the most vulnerable, it will be a nightmare for companies to tackle further exploitations.
The report says that the issue was reported to Qualcomm back in February and while the company has issued a fix in June, it is unclear if OEMs have pushed it. And as per the report, even Google is yet to address this vulnerability as of the end of July. For further details, you can attend the webinar session scheduled for August 13 to know more.