Qualcomm Snapdragon bugs leave almost half of all smartphones open to attack

(Image credit: Qualcomm)

New research from Check Point has discovered over 400 vulnerabilities in Qualcomm's Snapdragon Digital Signal Processor (DSP) chip that if exploited, could allow hackers to take control of over 40 percent of all smartphones.

A DSP is a system on a chip that is used for audio signal and digital image processing in a number of consumer devices including TVs and smartphones. While DSP chips bring a number of new features and capabilities to the devices they're used in, they also introduce new weak points and expand a device's attack surface.

The vulnerabilities discovered by Check Point have serious implications as Qualcomm's chips are found in nearly every Android smartphone including flagship phones from Google, Samsung, LG, Xiaomi, OnePlus and other hardware makers.

By exploiting the vulnerabilities in Qualcomm's DSP chip, an attacker can spy on users via their smartphones, render a user's mobile phone constantly unresponsive and create un-removable malware capable of evading detection.

DSP chip vulnerabilities

Check Point responsibly disclosed its findings to Qualcomm and the chip maker acknowledge the vulnerabilities, notified device vendors and assigned six of the flaws with CVE listings.

Qualcomm has already patched the six security flaws affecting its Snapdragon DSP chip but smartphone makers still have to implement and deliver fixes to their users' devices which means that many smartphones in the wild are still vulnerable to potential attacks.

In a blog post, Check Point provided further insight on how it discovered the vulnerabilities in the company's DSP chips, saying:

“Due to the “Black Box” nature of the DSP chips it is very challenging for the mobile vendors to fix these issues, as they need to be first addressed by the chip manufacturer. Using our research methodologies and state-of-the-art fuzz testing technologies, we were able to overcome these issues – gaining us with a rare insight into the internals of the tested DSP chip. This allowed us to effectively review the chip’s security controls and identify its weak points.”

Given the severity of the vulnerabilities in Qualcomm's DSP chips, its recommended that users install any potential patches or fixes as soon as they become available.

A spokesperson from Qualcomm reached out TechRadar Pro and provided the following statement on the matter:

“Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”

Via BleepingComputer

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
person at a computer
Many workers are overconfident at spotting phishing attacks
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Latest in News
Star Wars Knights of the Old Republic
Knights of the Old Republic remake developer Saber Interactive states all its projects are 'still in development'
Circular smart ring
Circular's new smart ring is getting blood pressure and blood glucose monitoring before the Apple Watch
Gemini on a mobile phone.
Worryingly, Google Gemini’s new AI image generation features can be used to remove watermarks from images and I'm concerned
iPad mini 2021
Huawei might have beaten Apple to the folding phone finish line by creating a foldable 'iPad mini'
Google Pixel 9 in green Wintergreen color showing AI features on screen
Multiple hands-on Google Pixel 9a videos have emerged, days ahead of the likely launch
A man getting angry with his laptop.
Windows 11 bug deletes Copilot from the OS – is this the first glitch ever some users will be happy to encounter?