Many vulnerabilities found in Qualcomm's Snapdragon Digital Signal Processor (DSP) chip could allow hackers to take control of nearly 40% of smartphones, spy on their users and create a create un-removable malware which will not be detectable. DSPs are system-on-chip units used for audio signal and digital image processing and telecommunications, in electronic Appliances, including TVs and mobile devices. Despite their complexity and the number of new features, DSP chips can be added to any device, but they also bring new vulnerabilities, thus expanding the surface attack of the devices.
According to her researchers Check Point identified these vulnerabilities, the vulnerable DSP chip can be found in almost every Android device, including state-of-the-art mobile phones from tech giants such as Google, Samsung, LG, Xiaomi, OnePlus and many more. It is worth noting, however, that its line of iPhone smartphones Apple is not affected by the vulnerabilities discovered and examined by Check Point.
Check Point revealed its findings to Qualcomm, which identified them, alerted device suppliers and reported the following vulnerabilities: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE -2020-11208 and CVE-2020-11209.
According to Check Point, these vulnerabilities could have the following consequences:
• Allow hackers to turn a cell phone into an espionage tool without the need for user interaction. At the same time, the information that can be stolen from the mobile phone includes photos, videos, call history, microphone data in real time, GPS, location data and more.
These vulnerabilities could also lead to a non-response of the cell phone, making all the information stored on that cell phone permanently inaccessible - including photos, videos, contact information, etc. - in other words, a targeted DoS attack.
• They can also use malware and other malware code which can completely hide their activities.
Qualcomm has fixed the vulnerabilities by releasing security updates. Although Qualcomm has already fixed the six vulnerabilities affecting the Qualcomm Snapdragon DSP chip, mobile vendors need to implement and deliver fixes security to users of their devices, as the threat still exists, as devices are still vulnerable to attacks.
Check Point researchers did not publish technical details behind these vulnerabilities to allow mobile vendors to develop and deliver security updates to users to mitigate any risks. However, they did publish a blog to raise awareness of these security issues for both vendors and users. In addition, researchers have informed relevant government officials and mobile phone suppliers with whom they collaborated in this research. The full details of the investigation were revealed to those interested.
Providing technologies that offer strong security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability revealed by Check Point, the company said it was working to resolve the issue and suggest appropriate mitigation to OEMs. The company also stressed that so far there are no indications that these vulnerabilities have been exploited. Finally, it advises users to update their devices with the available ones updates and install apps only from trusted sites like the Google Play Store.