Millions of Android mobiles with Qualcomm DSP chipset vulnerable to hacking: Check Point

A new report has emerged that the millions of Android mobiles with Qualcomm's DSP (Digital Signal Processor) chipset are vulnerable to hacking and malware infection.

"In our research dubbed 'Achilles' we performed an extensive security review of a DSP chip from one of the leading manufacturers: Qualcomm Technologies. Qualcomm provides a wide variety of chips that are embedded into devices that make up over 40% of the mobile phone market, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and more," Check Point Research team reported.

The cyber experts detected more than 400 vulnerabilities in the Qualcomm DSP unit and it can allow bad actors to take over the phone and make it spying tool without the owner ever noticing or interacting with any application as such. The hacker can get into the phone's storage and pick photos, videos, call-recording, real-time microphone data, GPS, and location data.

Also, cybercriminals can also initiate DoS (Denial of Service) attack on the phone and make it unresponsive constantly. Then, the owner will be blocked from accessing photos, contact numbers, or any information.

If the phone owner ever visits a shady website and unknowingly installs a malware-laced app, the latter may get inside the phone's memory to initiate illegal activities and the user may never notice it and also if he/she does, it can make itself unremovable.

Considering the seriousness of the issue, Check Point has decided not to disclose any technical information on the vulnerability and has passed on the information to Qualcomm. The latter has acknowledged the issue and has notified all the stakeholders including the Android phone makers and released the CVE (Common Vulnerabilities and Exposures) list-- CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.

The Digital Signal Processor (DSP) chipsets are said to vulnerable to risks as they are deemed as 'Black Boxes', for its complex nature, for anyone other than their manufacturer to review their design, functionality, or code.

"Due to the 'Black Box' nature of the DSP chips, it is very challenging for the mobile vendors to fix these issues, as they need to be first addressed by the chip manufacturer. Using our research methodologies and state-of-the-art fuzz testing technologies, we were able to overcome these issues – gaining us with a rare insight into the internals of the tested DSP chip. This allowed us to effectively review the chip’s security controls and identify its weak points," the report said.

"We hope this research will help build better and more secure environments for the DSP chip ecosystem, as well as provide the necessary knowledge and tools for the security community to preform regular security reviews for these chips in order to strengthen the security of mobile devices," Check Point Security researchers said.

"Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” Qualcomm spokesperson said to Deccan Herald.

Get the latest news on new launches, gadget reviews, apps, cyber security, and more on personal technology only on DH Tech.