- DSPs in Qualcomm Snapdragon chips reportedly contain over 400 vulnerabilities.
- Attackers could use these for spying, malware, or just bricking devices.
- Fixes are on the way and there are no known attacks, but itâ€™s still concerning.
If youâ€™re using an Android phone with a Snapdragon chip inside, thereâ€™s a good chance itâ€™s susceptible to a host of potentially serious security flaws. Check Point security researchers say theyâ€™ve discoveredÂ more than 400 code vulnerabilities, nicknamed â€œAchilles,â€� in the digital signal processors (DSPs) of Qualcommâ€™s Snapdragon chips.
The team is keeping the details a secret to prevent malicious use of the vulnerabilities before thereâ€™s a fix. The consequences can be serious, however. Check Point says attackers can quietly record calls, steal data, render devices unusable, and even install completely silent, non-removable malware.
Itâ€™s not clear how easy it is to exploit the flaws as a result. However, the researchers used â€œfuzz testing technologiesâ€� and other methods to identify flaws in the DSPs, which tend to be black boxes that are harder to study. Check Point noted that phone vendors couldnâ€™t simply fix this as the chipmaker (in this case, Qualcomm) had to address the issues first.
Solutions are thankfully on the way. Qualcomm has acknowledged the flaws and shared details with brands while it provides â€œappropriate mitigationsâ€� to brands, a spokesperson toldÂ MarketWatch. The representative also said there was â€œno evidenceâ€� of active exploits, and that users could minimize their risk by getting patches when available and downloading apps from â€œtrustedâ€� outlets like the Google Play Store.
The practical threat is relatively low until and unless thereâ€™s an Achilles exploit in the wild. Even so, thereâ€™s a significant reason to be concerned. Snapdragon chips were in an estimated 40% of the phones that shipped in 2019 and are present in devices from heavyweights like Samsung, LG, and Xiaomi. That potentially leaves â€œhundreds of millionsâ€� of phones exposed, according to Check Point research head Yaniv Balmas, and fixing them all could be difficult or impossible.
Qualcomm itself provides extended support for Android devices, but that doesnâ€™t extend to the vendors themselves. As has become all too clear, Android vendors are historically slow to deliver updates and may cut off support considerably sooner than Qualcomm. Although security patches are sometimes delivered sooner and beyond the usual support schedules, there may be millions of phones that never get fixes due to age or vendorsâ€™ update policies.