Qualcomm is a name you’ve no doubt heard if you’re aware of smartphones. It’s the number one processor chip provider to Android phones and has a 65% market share. Right now, that’s very bad news since there are inherent flaws in the drivers of the chips, flaws that could expose devices to attacks. The latest devices including the Samsung Galaxy S7 and S7 Edge, all the OnePlus flagship phones, the last generation of Nexus devices and the Sony Xperia Z Ultra are all subject to risk.
The flaws, collectively called Quadrooter (since there are four flaws and provide root access to malicious software) were identified by Check Point Software Technologies, an Israeli-based security firm. Checkpoint revealed their findings at the Defcon Security Conference in Las Vegas. Adam Donenfeld, the lead security researcher at the company, made the announcement.
Apparently the firmware that governs the chips could allow hackers to “trigger privilege escalations for the purpose of gaining root access to a device”. They would do this using malware that would fly under suspicious users’ radars and wouldn’t require special permissions. What that basically means is that a user need only be tricked to install malware that seems harmless. Then, the cyber thief can sift through all your personals. The thief can access your camera, microphone, add or delete apps and basically have his way with your device.
“vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them.”
The four flaws are named: CVE-2016-2059, CVE-2016-2503 and CVE-2016-2504 and CVE-2016-5340.
Qualcomm has said that it has patched all four flaws. Google has said it patched 3 flaws in its Nexus devices in the August update and the fourth will be fixed in the next one. However, that doesn’t necessarily spell ‘awesome’ for the other users already exposed. This is because handset manufacturers are less than enthusiastic to patch flaws found in their devices. While Google has taken care of its Nexus line, those on Samsung or LG devices etc., are probably out of luck since they need to receive patches from Qualcomm first and then send them out to their users.
This highlights a fatal flaw in the Android machine. It highlights how security risks are very hard to fix since their solutions, even when fully developed, have to be painstakingly delivered to a wide network of handset manufacturers or cell phone carriers in order to effect each device. And then users must be sure to install these updates, there’s no automatic trigger for this. Compare that with Apple which retains almost complete control of all its devices and can fix security risks almost with the flick of a switch (relatively).
This is why two federal agencies, namely the Federal Communications Commission and the Federal Trade Commission have stepped in to question Apple and Google on their security updates. They are usually haphazard and highly irregular. A report on this matter is due later this year.
You can download the Quadrooter Scanner app here, to check if these vulnerabilities exist on your phone.