No one can question that with Snapdragon, Qualcomm has managed to create a line of chips that is perfectly suited to the needs of the mobility market. And this, of course, has caused it to become the go-to manufacturer for Android-based devices. A success story that has been going on for years and that other technology companies observe with envy. However, a dangerous effect of that supremacy is that if any of your products suffers a problem, it will affect a huge number of users.
And that is what the security company Check Point has revealed in the context of the security event DEF CON Safe Mode, a set of problems that affect Snapdragon SoCs using Hexagon architecture. According to the first calculations, these security flaws could affect 3 billion of Android smartphones, approximately 40% of the fleet of smartphones.
The problem is located in the digital signal processor (DSP) using in the Snapdragon SoCs, a component dedicated to speeding up the conversion of multiple input elements in order to facilitate their processing by the CPU. It is a proven fact that a DSP translates into better performance, both in terms of processing speed of said data and energy efficiency, contributing to a longer battery life of smartphones.
Identified with the codes CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209, the six problems detected in the Snapdragon SoCs would allow an attacker reco-collect all the information that passes through the SoC’s DSP processor, as well as forcing the reboot of the device causing a kernel panic and even making it completely unusable, thus forcing its restoration to factory settings. Check Point, following common good practices in these cases, has not disclosed the nature of Snapdragon’s problems, waiting for Qualcomm to release patches to fix the problem.
The hypothetical attacker who wants to use these vulnerabilities should persuade the user of the device to install a malicious app. We do not know if Google can prevent their arrival in the Play Store but, even if so (and it is hoped that they will), still it would be possible to upload them to unofficial stores, a technique that, unfortunately, is the most common and that, every day, threatens the security of millions of devices and users.
Qualcomm has already been aware of Snapdragon’s problems with Hexagon for a few months, and in principle the patches would already be ready. In addition, they claim, no presence in the wild of attacks based on these vulnerabilities has been detected. Fortunately, since we are talking about a problem that, even if smartphones have some security solution, cannot be avoided by them. The problem is that, although Qualcomm has already referred them to Google, they do not appear to have been distributed in the Android security updates. We hope they do it as soon as possible.