A recent unveiling by security firm Check Point has presented multiple vulnerabilities in Qualcomm’s Snapdragon chips named Hexagon. The vulnerability in Qualcomm for Android can be exploited by nefarious people to gain full access to user’s personal space. And by personal space I mean complete handset takeover which doesn’t even require user interaction.
These flaws allows the attackers to spy, make device unresponsive, and much more. But the researchers claim to have found more than 400 attacks in total to exploit the vulnerabilities.
But these attack they can basically own the user’s device. They can do whatever the please from accessing user’s images and videos to recording audio from.
What is the Vulnerability ?
The SoC has something called Hexagon Digital Signal Process (DSP). The SoC acts as a host for CPU and GPU. And the main function of DSP is to handle all the multimedia needs and also the modem . They provide power and performance advantages other chips for mobile devices.
With that being said, the vulnerability exists in the software ( source code ) itself. Now the vendor specific Android systems have to interact with DSP to make Android function properly. And for doing that DSP API’s are directly or indirectly invoked by the system.
Which makes it possible for anyone, who understand how the machine level instructions work, to exploit the vulnerability. But the good news is that the manufacturers have already patched the vulnerabilities.
Regardless of the patch state of vulnerability the Android devices out there are susceptible to the exploits of Qualcomm vulnerability in Android devices.
More details have not yet been explained as how it work. It is likely to be shown at Def Con 2020 anytime soon. Till then you have to stay tuned with other news as well.
How was the vulnerability found ?
The vulnerability is reported to be found by method called fuzzing. Now, the word fuzzing might be something you have never heard of. It is something like monkey testing. The term monkey testing is simply providing random input to they system in a hope of finding some bugs.
The case is similar to the fuzzing method in security field. It is when the system is attacked with random combination of data. The data fed might make system do something that is not anticipated. Hence, the revelation of the vulnerability of the system.
The bugs in Hexagon DSP is said to have been found in a similar way. But the exact details have not been made public we have to wait till Def Con 2020.
Situation of Qualcomm vulnerability in Android
One thing about these vulnerabilities you might not know is that. The vulnerabilities found must first be reported to respective parties. They must be given enough time to patch the vulnerability before the information can be made public.
So, the bottom line being if you are reading the news about some vulnerability. The reporting date for any vulnerability is at least after 3 months of discovery. Now the manufacturers have already patched and rolled out updates for supported device.
Now, the unsupported devices still remain vulnerable to the attacks. Hence, the need for updates of the gadgets you own. If you have not received updates you might soon receive it, if you don’t you’re dependent on your luck.