Qualcomm chipsets are generally the processor of choice for many smartphone users, owing to the firm’s powerful graphics hardware and developer-friendly nature. It’s not immune to security flaws though, and its latest vulnerability is a big one.
Security researchers discovered the flaw last year, allowing cyber-criminals to gain private data and security keys in a secure part of the chipset. They have since published a white paper on the flaw this week, noting that he was able to extract security keys from a rooted Nexus 5X.
Meanwhile, Qualcomm has confirmed that it patched the vulnerability, which it categorized as ‘critical.’ This is Qualcomm’s highest rating for security flaws; the firm says ‘critical’ vulnerabilities could allow someone to remotely control a device. The chip maker deployed patches for this vulnerability (CVE-2018-11976) earlier this month but the slow pace of Android updates could leave some smartphones and tablets vulnerable for years to come.
Hundreds of millions of Android devices currently use Qualcomm chips and the vulnerability impacts how they handle data processed inside the Trusted Execution Environment (TEE) QSEE.
The QSEE is a hardware-isolated area on the company’s chips where app developers and Android itself can send data to be processed safely and securely in such a way that it is secluded from the operating system and any other apps installed on the device. Private encryption keys and passwords are often processed inside the QSEE and the bug could leave this sensitive information exposed to hackers.
Google’s Android Security Bulletin notes that the fix is included in the April 2019 security patches, but many Android manufacturers have skimped on security updates in the past. So that means people with older devices are still left at risk of being affected by the flaw. In fact, Qualcomm has confirmed that the vulnerability affects over 40 chipsets, including laptop, smartwatch, and automotive silicon.
Some of the more prominent smartphone chips affected by the flaw include the:
- Snapdragon 200 series,
- Snapdragon 400 family (bar the Snapdragon 400 itself, it seems),
- Snapdragon 625,
- Snapdragon 636,
- Snapdragon 660,
- Snapdragon 670,
- Snapdragon 710/712,
- Snapdragon 820,
- Snapdragon 835, and
- Snapdragon 845.
You can check out the full list over at Qualcomm’s product security bulletin.
If you own a phone with one of these chipsets and haven’t received the April 2019 security patch, then you should nag the manufacturer. Google has taken action in this regard, reportedly mandating two years of security patches in contracts with manufacturers, but brands often fall behind in their timely delivery. It’s high time they took full responsibility.