Most Android Phones Can Be Pwned Just by Watching a Video

More than 400 bugs in Qualcomm Snapdragon chips mean the Android phone in your pocket and the IoT toy in your child’s bedroom could be tremendously insecure—with no fix in sight. Researchers fuzzed Qualcomm’s Hexagon SDK and found hundreds of flaws, which could be the tip of a vulnerability iceberg.

Exploiting the bugs only needs the user to watch a video or view a picture. The Hexagon DSP element is responsible for offloading those tasks, but appears to be buggy as heck.

Slava Makkaveev PhD (pictured) presented the research on Friday at DEF CON’s “Safe Mode” online event. Watch the replay open-mouthed—I’ve embedded it below.

Unfortunately, the researcher’s PR flacks got a bunch of details wrong, confusing many journalists. So in today’s SB Blogwatch, we right the wrongs.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: the gory details.

Slava FTW, but PR FAIL

What’s the craic? Alfred Ng reports—“Achilles’ heel security flaw”:

 You might not ever have heard of a digital signal processor, but … it’s ripe for abuse from hackers, warn researchers. … In a Defcon presentation … researcher Slava Makkaveev [demonstrated] how [DSPs] are essentially gateways for attackers to get control over Android devices.

Makkaveev looked at the Qualcomm Snapdragon [DSP software], which is in more than 40 percent of Android devices, and found more than 400 vulnerabilities. … Qualcomm acknowledged the vulnerabilities. … The issues remain security risks unless phone manufacturers also push updates out to customers.

[The] researchers said the [DSP is] essentially a whole new platform for attackers to go after, describing [it] as an Achilles’ heel for even the most secure devices. … “Our research managed to break these limits and we were able to have a very close look at the chip’s internal design and implementation in a relatively convenient way. … Since such research is very rare, it can explain why we found so many vulnerable code sections.”

Ave, Maria Deutscher, stainless styled, hypes it up—“‘Achilles’ chip flaws in Android devices let hackers plant unremovable malware”:

 The discovery … is particularly significant because it’s relatively rare for security experts to report security flaws in [DSPs] That’s partly because manufacturers tend to keep … technical details and code under wraps, which makes analysis difficult.

DSPs are found in most modern handsets and come included with Qualcomm’s ubiquitous Snapdragon mobile [SoCs]. … It’s unclear how many devices could be affected. However … Qualcomm’s chips are used by nearly all major Android smartphone makers.

How many? Sergiu Gatlan adds the number he first thought of—“Nearly 50% of all smartphones affected”:

 DSPs … are used for audio signal and digital image processing, and telecommunications, in consumer electronics including TVs and mobile devices. … Unfortunately, they also introduce new weak points and expand the devices’ attack surface.

Qualcomm [assigned] CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209. … Apple’s iPhone smartphone line is not affected by the security issues.

In a comedy of PR errors, Check Point’s anonymous bloggers blog thuswise—“Over 400 vulnerabilities … threaten mobile phones’ usability worldwide”:

 A DSP (Digital Signal Processor) is a system on a chip [no it isn’t]. … Including charging abilities, such as “quick charge” features [no it doesn’t].

Simply put, a DSP is a complete computer on a single chip [it still isn’t]. … Almost any modern phone includes at least one of these chips [it’s not a chip; it’s part of the SoC die].

A single SoC (Software on Chip) [yikes, that’s not what SoC stands for] may include features to enable daily mobile usage [oh, good grief]. … Additionally vendors can optionally use these “mini computers” [cough, splutter] to insert their own functionality.

DSP chips [still not chips] are much more vulnerable to risks as they are being managed as “Black Boxes” [didn’t we all agree to stop using that sort of language?] … Due to the “Black Box” [“#BLM”] nature of the DSP chips [really not chips] it is very challenging for the mobile vendors to fix these issues [not really the reason].

We hope this research will help build a better and more secure environments for the DSP chip [not so much a chip as a functional unit] ecosystem [random word salad, ahoy], as well as provide the necessary knowledge and tools for the security community to preform [typo] regular security reviews for these chips [did I mention it’s not actually a chip?].

There’s an important point hiding in plain sight. Just A Quick Comment highlights it with a quick comment: [You’re fired—Ed.]

 Considering the piecemeal [nature of] Android updates (often, none at all) these vulnerabilities will last the life of the product.

Is there a better way? xxxLCxxx thinks so:

 Qualcomm has long been known for being a nightmare of bugs/backdoors that always lead to full root exploit. Anybody controlling the network … can drop in via the “bugs” in their driver BLOBs.

Exynos is dead [which] only leaves Helio (MediaTek) and Kirin (Huawei). Oddly, you also get a better product for your money.

Sky falling; film at 11. DS999 is not a happy bunny:

 Most vulnerable phones will never see patches, because the OEM stopped caring as soon as they replaced it with a newer model. That’s a big problem … the DSP exploits give you control over the whole device, including the baseband.

This is the sort of hole that lets you turn it into a spy device that silently listens and relays a conversation, with no visible indication. … State actors aren’t harmless but they are inevitable. There’s no way to fix enough bugs that they can’t find any. … They can get into any phone more than a year or two old that is no longer receiving patches.

It will be very bad for owners of older/cheaper devices that won’t ever see the patches when they come out because of the severity of this class of exploits. Full control of the device, with no user interaction required—they just have to happen to visit a web site with a malicious video. Which can be almost any web site, since it could be encoded into a video ad.

Android ecosystem FAIL? Will willzyx speak for many?

 I’m definitely switching to an iPhone as my next phone. This is getting ridiculous.

Could Google have done a better job? Yes, says BullBearMS:

 Google could have written Android so that the drivers plug into a hardware abstraction layer the same way it works on Windows, Macs, and iOS devices. However, Google viewed the device makers and carriers as their customers, not the end users.

The carriers want control over the device. The device makers want to force obsolescence as quickly as possible. Qualcomm, also wants to force obsolescence as quickly as possible, of course.

Meanwhile, GOAT__RODEO offers this (saline) solution:

 Go wash your phone in warm salt water to remove those pesky bugs.

And Finally:

Slava Makkaveev at DEF CON Safe Mode

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Slava Makkaveev

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 178 posts and counting.See all posts by richi