Once again, more than a billion Android gadgets are vulnerable to a security hole in Qualcomm’s Snapdragon chip that may very well be exploited by any malicious hacker to gain full access on the machine.
Trend Micro’s security experts have warned Android users of some severe programming shortcomings in Qualcomm’s kernel-level Snapdragon code that if exploited, can be utilized by attackers for gaining root access, and hence full control of your phone or gadget.
Gaining root permissions on a system is a matter of concern, because it grants attackers entry to administrator stage capabilities, permitting them to do almost anything with your device against your will, like accessing your pictures or even taking new ones without your knowledge, or snooping into your private data including emails, accounts’ passwords, emails, messages and files.
Qualcomm’s own web site states that their Snapdragon SoCs (techniques on a chip) are used on greater than a billion sensible units, together with many Web of Issues (IoTs) right now. Therefore the problem exposes not only many individuals but also many corporations which might be relying on IoTs or have employees using the vulnerable devices susceptible to being attacked.
Although Google has pushed out security updates after Trend Micro privately reported the issues which will now prevent hackers from gaining root entry with a specifically crafted app, users might not be getting updates anytime soon.
Depending on your device, the security updates that do roll out may do so via a protracted chain:
Trend Micro’s engineer Wish Wu said: “Given that many of these gadgets are either no longer being patched or never received any patches in the first place, they’d essentially be left in an insecure state without any patch forthcoming.”
Unfortunately, what’s more concerning is the fact that the same vulnerable chips are utilized in a lot of IoT devices, that are no longer in line for security updates. This makes it possible for hackers to gain root entry to these connected units, which is more worrying.
“Smartphoness aren’t the only problem here, Qualcomm also sells their SoCs to vendors producing devices considered part of the Internet of Things, which means these devices are just as at risk.”
“If IoT is going to be as widespread as many experts think, there needs to be some kind of system in place ensuring these devices are safe for public use. Security updates are an absolute necessity these days, and users of these connected devices have to know what they’re dealing with.” said Pattern’s Noah Gamer.
No matter what the rationale: if security patches aren’t available for your gadget or take too long to arrive, in both the cases it provides miscreants time to exploit the security holes to get control of your unit.
All the smart devices utilizing the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 and running a 3.10-version kernel are affected by the vulnerabilities.
The susceptible code is present in Android versions 4 to 6. In the tests, researchers found Nexus 5, 6 and 6P, and Samsung Galaxy Note Edge using vulnerable variations of Qualcomm’s code.
Although the researchers don’t have access to every Android phone and tablet to check, the list of vulnerable devices is non-exhaustive.
Since the researchers haven’t disclosed full particulars about the flaws, the short brief concerning the vulnerabilities is as follows:
- Qualcomm-related flaw (CVE-2016-0819): The vulnerability has been described by the researchers as a logic bug that permits a small section of kernel memory to be tampered with after it’s freed, causing a data leakage and a Use After Free issue in Android.
- The flaw (CVE-2016-0805) is in Qualcomm chipset kernel function get_krait_evtinfo: The get_krait_evtinfo function returns an index into an array utilized by other kernel functions. With the help of carefully crafted input data, it’s possible to generate a malicious index, resulting in a buffer overflow.
- Gaining root access: Utilizing both the flaws together on vulnerable units, attackers can acquire root access on the device.
The researchers will be presenting their research of exactly how to leverage these exploits at the upcoming Hack In The Box security convention in the Netherlands to be held at the end of May 2016.