Several security vulnerabilities found in Qualcomm’s Snapdragon chip Digital Signal Processor (DSP) chip could allow attackers to take control of almost 40% of all smartphones, spy on their users, and create un-removable malware capable of evading detection.

DSPs are system-on-chip units are used for audio signal and digital image processing, and telecommunications, in consumer electronics including TVs and mobile devices.

Despite their complexity and the number of new features and capabilities DSP chips can add to any device, unfortunately, they also introduce new weak points and expand the devices’ attack surface.

Hundreds of millions of devices exposed to attacks

The vulnerable DSP chip “can be found in nearly every Android phone on the planet, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus, and more,” according to Check Point researchers who found these vulnerabilities.

Apple’s iPhone smartphone line is not affected by the security issues discovered and disclosed by Check Point in their report.

Check Point disclosed their findings to Qualcomm, who acknowledged them, notified device vendors, and assigned them with the following six CVEs: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209.

Qualcomm fixed the vulnerabilities, security updates incoming

Although Qualcomm has already patched the six security flaws found to affect the Qualcomm Snapdragon DSP chip, mobile vendors still have to implement and deliver security fixes to their devices’ users, the threat is still there since the devices are still vulnerable to attacks.

Check Point researchers did not publish the technical details behind these vulnerabilities to allow mobile vendors to develop and deliver security updates to users to mitigate any possible risks.

“However, we decided to publish this blog to raise the awareness to these issues,” Check Point explained in a research report shared earlier with BleepingComputer.

“We have also updated relevant government officials, and relevant mobile vendors we have collaborated with on this research to assist them in making their handsets safer. The full research details were revealed to these stakeholders.”

“Although Qualcomm has fixed the issue, it’s sadly not the end of the story,” Head of Cyber Research at Check Point, Yaniv Balmas, said.

“Hundreds of millions of phones are exposed to this security risk. You can be spied on. You can lose all your data. If such vulnerabilities will be found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time.”

The research behind these vulnerabilities will be presented by Check Point security researcher Slava Makkaveev tomorrow, at DEF CON 2020, during a presentation dubbed “Pwn2Own Qualcomm compute DSP for fun and profit.”

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.