The security company Checkpoint claims to have discovered more than 400 security holes in the digital signal processor (DSP) of Qualcomm’s Snapdragon chips, and hundreds of millions of devices are said to be affected.
Qualcomm provides a wide variety of chips that are embedded into devices that make up over 40% of the mobile phone market, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus, and more.
The vulnerabilities (CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209) can be exploited by a malicious app that is the victim need to install beforehand.
This could gain full control over the device and exfiltrate data unnoticed, said Checkpoint — accordingly, hackers can not only access to photos, videos, and call recordings, but also to the microphone or the GPS and location data. The holes could also be used to hide malware on the smartphone or to make the device unusable.
Checkpoint discovered the vulnerabilities through fuzzing, in which programs are fed with random data. After the discovery, the company reported the vulnerabilities to Qualcomm. Although Qualcomm has solved the problems, millions of smartphones are still affected, as the long supply chain of the devices could take months or years for the security updates to arrive on the individual smartphones, said Yaniv Balmas, a security researcher at Checkpoint.
For this reason, the security company decided not to publish any details about the vulnerabilities. Since smartphones sometimes no longer receive security updates after a few years, some devices are likely to remain vulnerable forever.