Qualcomm’s Snapdragon Digital Signal Processor (DSP) chip was found to have multiple vulnerabilities that could allow for the takeover of nearly 40% of all smartphones, according to Check Point researchers. The vulnerabilities could give attackers the ability to listen through the device microphone, steal private messages and data files, and inject malware that is virtually unremovable and undetectable. The chip’s regular functions for TVs and mobile devices include audio signaling, digital image processing, and telecommunications. While these chips can be found in almost all Android phones, iPhones are not affected. After Check Point’s discoveries, they notified Qualcomm who then assigned CVEs and reported them to smartphone manufacturing vendors. The CVEs are CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209. Checkpoint assessed that these vulnerabilities would allow for:
- Attackers to turn the phone into a perfect spying tool, without any user interaction required. The information that can be exfiltrated from the phone includes photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
- Attackers to render the mobile phone constantly unresponsive. This would make all the information stored on this phone permanently unavailable–including photos, videos, contact details, etc.–in other words, a targeted denial-of-service attack.
- Installation of malware and other malicious code that can completely hide its activities and become unremovable.
Qualcomm has since patched the vulnerabilities and has no evidence that they are being exploited, but the companies whose devices contain chips are responsible for implementing the fixes and providing updates to device owners.