- DSPs in Qualcomm Snapdragon chips reportedly contain over 400 vulnerabilities.
- Attackers could use these for spying, malware, or just bricking devices.
- Fixes are on the way and there are no known attacks, but it’s still concerning.
If you’re using an Android phone with a Snapdragon chip inside, there’s a good chance it’s susceptible to a host of potentially serious security flaws. Check Point security researchers say they’ve discovered more than 400 code vulnerabilities, nicknamed “Achilles,” in the digital signal processors (DSPs) of Qualcomm’s Snapdragon chips.
The team is keeping the details a secret to prevent malicious use of the vulnerabilities before there’s a fix. The consequences can be serious, however. Check Point says attackers can quietly record calls, steal data, render devices unusable, and even install completely silent, non-removable malware.
It’s not clear how easy it is to exploit the flaws as a result. However, the researchers used “fuzz testing technologies” and other methods to identify flaws in the DSPs, which tend to be black boxes that are harder to study. Check Point noted that phone vendors couldn’t simply fix this as the chipmaker (in this case, Qualcomm) had to address the issues first.
Solutions are thankfully on the way. Qualcomm has acknowledged the flaws and shared details with brands while it provides “appropriate mitigations” to brands, a spokesperson told MarketWatch. The representative also said there was “no evidence” of active exploits, and that users could minimize their risk by getting patches when available and downloading apps from “trusted” outlets like the Google Play Store.
The practical threat is relatively low until and unless there’s an Achilles exploit in the wild. Even so, there’s a significant reason to be concerned. Snapdragon chips were in an estimated 40% of the phones that shipped in 2019 and are present in devices from heavyweights like Samsung, LG, and Xiaomi. That potentially leaves “hundreds of millions” of phones exposed, according to Check Point research head Yaniv Balmas, and fixing them all could be difficult or impossible.
Qualcomm itself provides extended support for Android devices, but that doesn’t extend to the vendors themselves. As has become all too clear, Android vendors are historically slow to deliver updates and may cut off support considerably sooner than Qualcomm. Although security patches are sometimes delivered sooner and beyond the usual support schedules, there may be millions of phones that never get fixes due to age or vendors’ update policies.