Researchers at Check Point, a cybersecurity firm, have discovered vulnerabilities in the Qualcomm Snapdragon Digital Signal Processor (DSP) chip that can allow attackers to obtain photos, videos, call recordings, location information, and other data from Android phones. 

DSPs is a system on a chip that contains hardware and software designed to support charging abilities (such as “quick charge” features), multimedia experiences like video and HD Capture, advanced AR abilities, and various audio features. Nearly all modern smartphones include at least one of these chips.

Further, Qualcomm’s Snapdragon chip is one of the most commonly used chips in Android smartphones, such as Google, Samsung, LG, Xiaomi, OnePlus, and other device manufacturers, which accounts for nearly 40% of the overall smartphone market.

In its report “Achilles: Small chip, big peril,” Check Point pointed out that more than 400 pieces of vulnerable code were found inside the DSP chip. These vulnerabilities could have the following impact on users of phones with the affected chip:

  • Attackers can turn the phone into a perfect spying tool, without any user interaction required – The information that can be exfiltrated from the phone include photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
  • Attackers may be able to render the mobile phone constantly unresponsive – Making all the information stored on this phone permanently unavailable – including photos, videos, contact details, etc – in other words, a targeted denial-of-service attack.
  • Malware and other malicious code can completely hide their activities and become un-removable.

Despite the above risks posed by these vulnerabilities, Check Point hasn’t found any exploits in the real world.

“We have not been able to identify any usage of these exploits in the wild,” Ekram Ahmed, Public Relations Head at Check Point told TechRepublic. “This of course doesn’t mean they haven’t been used, but that we haven’t spotted them in our telemetry.”

Upon discovery of the vulnerabilities, Check Point disclosed its findings to Qualcomm who acknowledged them, notified the relevant device vendors.

Qualcomm responded to the vulnerabilities by fixing it and assigned them with the following CVE’s: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.

“Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” a Qualcomm spokesperson said in a statement. 

“Although Qualcomm has fixed the issue, it’s sadly not the end of the story. Hundreds of millions of phones are exposed to this security risk. You can be spied on. You can lose all your data. Our research shows the complex ecosystem in the mobile world. With a long supply chain integrated into each and every phone, it is not trivial to find deeply hidden issues in mobile phones, but it’s also not trivial to fix them,” Yaniv Balmas, head of cyber research at Check Point, said in a press release. 

While fixing the vulnerabilities by Qualcomm is just the first step, it is out now for the mobile vendors to roll out the necessary patches. Until then, Check Point Research has decided not to publish the full technical details until the mobile vendors have a comprehensive solution to mitigate the possible risks described.

“We assume it will take months or even years to completely mitigate it. If such vulnerabilities will be found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time. It is now up to the vendors, such as Google, Samsung, and Xiaomi, to integrate those patches into their entire phone lines, both in manufacturing and in the market,” Balmas said.