No one can question that with Snapdragon, Qualcomm has managed to create a line of chips that is perfectly suited to the needs of the mobility market. And this, of course, has caused it to become the go-to manufacturer for Android-based devices. A success story that has been adding years and that other technology companies observe with envy. However, a dangerous effect of that supremacy is that if any of your products suffers a problem, it will affect a huge number of users.
And that’s what has revealed the security company Check Point in the context of the DEF CON Safe Mode security event, a set of issues that affect Snapdragon SoCs using Hexagon architecture. According to the first calculations, these security flaws could affect 3 billion of Android smartphones, approximately 40% of the fleet of smartphones.
The problem is located in the digital signal processor (DSP) using in the Snapdragon SoCs, a component dedicated to speed up the conversion of multiple input elements to facilitate their processing by the CPU. It is a proven fact that a DSP translates into better performance, both in terms of processing speed of said data and energy efficiency, contributing to a greater durability of the battery charge of smartphones.
Identified with the codes CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209, the six problems detected in the Snapdragon SoCs would allow an attacker recolect all the information that passes through the SoC’s DSP processor, as well as forcing the reboot of the device causing a kernel panic and even render it completely unusable, thus forcing it to be restored to factory settings. Check Point, following common good practices in these cases, has not revealed the nature of Snapdragon’s problems, pending Qualcomm release patches to fix the problem.
The hypothetical attacker who wants to use these vulnerabilities should persuade the user of the device to install a malicious app. We do not know if Google can prevent their arrival in the Play Store but, even if so (and it is hoped that they will), still it would be possible to upload them to unofficial stores, a technique that, unfortunately, is the most common and that, every day, threatens the security of millions of devices and users.
Qualcomm has already known about the problems of Snapdragon with Hexagon for a few months, and in principle the patches would already be ready. In addition, they claim, no presence detected in the wild of attacks based on these vulnerabilities. Fortunately, since we are talking about a problem that, even if smartphones have some security solution, cannot be avoided by them. The problem is that, although Qualcomm has already referred them to Google, they do not appear to have been distributed in the Android security updates. We hope they do so as soon as possible.