Qualcomm Snapdragon bugs leave almost half of all smartphones open to attack

(Image credit: Qualcomm)

New research from Check Point has discovered over 400 vulnerabilities in Qualcomm's Snapdragon Digital Signal Processor (DSP) chip that if exploited, could allow hackers to take control of over 40 percent of all smartphones.

A DSP is a system on a chip that is used for audio signal and digital image processing in a number of consumer devices including TVs and smartphones. While DSP chips bring a number of new features and capabilities to the devices they're used in, they also introduce new weak points and expand a device's attack surface.

The vulnerabilities discovered by Check Point have serious implications as Qualcomm's chips are found in nearly every Android smartphone including flagship phones from Google, Samsung, LG, Xiaomi, OnePlus and other hardware makers.

By exploiting the vulnerabilities in Qualcomm's DSP chip, an attacker can spy on users via their smartphones, render a user's mobile phone constantly unresponsive and create un-removable malware capable of evading detection.

DSP chip vulnerabilities

Check Point responsibly disclosed its findings to Qualcomm and the chip maker acknowledge the vulnerabilities, notified device vendors and assigned six of the flaws with CVE listings.

Qualcomm has already patched the six security flaws affecting its Snapdragon DSP chip but smartphone makers still have to implement and deliver fixes to their users' devices which means that many smartphones in the wild are still vulnerable to potential attacks.

In a blog post, Check Point provided further insight on how it discovered the vulnerabilities in the company's DSP chips, saying:

“Due to the “Black Box” nature of the DSP chips it is very challenging for the mobile vendors to fix these issues, as they need to be first addressed by the chip manufacturer. Using our research methodologies and state-of-the-art fuzz testing technologies, we were able to overcome these issues – gaining us with a rare insight into the internals of the tested DSP chip. This allowed us to effectively review the chip’s security controls and identify its weak points.”

Given the severity of the vulnerabilities in Qualcomm's DSP chips, its recommended that users install any potential patches or fixes as soon as they become available.

A spokesperson from Qualcomm reached out TechRadar Pro and provided the following statement on the matter:

“Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.