Qualcomm’s Snapdragon Digital Signal Processor (DSP) chip was found to have multiple vulnerabilities that could allow for the takeover of nearly 40% of all smartphones, according to Check Point researchers. The vulnerabilities could give attackers the ability to listen through the device microphone, steal private messages and data files, and inject malware that is virtually unremovable and undetectable. The chip’s regular functions for TVs and mobile devices include audio signaling, digital image processing, and telecommunications. While these chips can be found in almost all Android phones, iPhones are not affected. After Check Point’s discoveries, they notified Qualcomm who then assigned CVEs and reported them to smartphone manufacturing vendors. The CVEs are CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209. Checkpoint assessed that these vulnerabilities would allow for:
- Attackers to turn the phone into a perfect spying tool, without any user interaction required. The information that can be exfiltrated from the phone includes photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
- Attackers to render the mobile phone constantly unresponsive. This would make all the information stored on this phone permanently unavailable–including photos, videos, contact details, etc.–in other words, a targeted denial-of-service attack.
- Installation of malware and other malicious code that can completely hide its activities and become unremovable.
Qualcomm has since patched the vulnerabilities and has no evidence that they are being exploited, but the companies whose devices contain chips are responsible for implementing the fixes and providing updates to device owners.
Technical details have yet to be released regarding the vulnerabilities. Until vendors make the fixes to their devices, users should continue regular security measures to protect their mobile devices which include keeping up with patches and updates, using strong passwords, enabling 2FA, protecting network traffic using a VPN, and using a trusted anti-virus application. These security practices will help protect mobile device owners from other threats but will not necessarily help protect against the Qualcomm vulnerability until device manufacturers release an update to fix it. Some Android devices that are past their end-of-life technical support cut-off date may never receive updates and should be replaced. Since exploitation of the vulnerabilities discovered by Check Point requires installation of a malicious app, the best practice to avoid being affected by the Qualcomm chip flaws is to limit the apps that are installed on the device to only trusted apps from vetted sources such as the Google Play store.