Four new vulnerability exploits were discovered recently on over 900 million Android smartphones, with Qualcomm chipsets found to be the root cause of the issue, according to research by Check Point, a firm dedicated to providing people with protection against digital threats. Qualcomm was notified by the researchers about the issue earlier this year, and responded by making patches available for all four vulnerabilities to customers, partners, and the open source community between April and July.
Researchers from Check Point detected the vulnerabilities affecting all Android devices running a specific Qualcomm chipset. Since the vulnerabilities are found in the software drivers Qualcomm ships with its chipsets, and since said drivers are pre-installed on devices straight out of the factory, they can only be fixed by installing a patch from the distributor or operator.
According to Check Point, the vulnerabilities, known as QuadRooter, can give attackers complete control of devices and unrestricted access to sensitive, personal and enterprise data which may be stored on the device. Check Point presented the results of its research at hacking and information security conference Defcon.
"Following recent security issues discovered in Android, Google made a number of changes to tighten security across its fragmented landscape," said Adam Donenfeld, Senior Security Researcher, Check Point. "However, Google is not alone in the struggle to keep Android safe. Qualcomm, a supplier of 80 percent of the chipsets in the Android ecosystem, has almost as much effect on Android's security as Google. With this in mind, we decided to examine Qualcomm's code in Android devices. During our research, we found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android
Qualcomm responded to the issues discovered by Check Point by releasing patches on Code Aurora, for users to protect their devices from the vulnerabilities. The website highlights security vulnerabilities in QulC-authored KGSL Linux Graphics Module and in IPC router kernel module. The vulnerabilities were detected on all Android releases from CAF using the Linux kernel, commonly used worldwide in devices.
Qualcomm Innovation Center (QuIC) openly acknowledges Check Point on the Code Aurora patch pages, giving thanks to Adam Donenfeld from Check Point Software Technologies "for reporting the related issues and working with QuIC to help improve device security."
"Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies, Inc. (QTI)," said Qualcomm in a press statement. "We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July. The patches were also posted on Code Aurora. QTI continues to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities."
Itâ€™s not the first time Qualcomm has faced controversy surrounding its products. In October last year, rumors surfaced that Qualcomm was experiencing overheating issues with its Snapdragon 820 processor. The company also faced criticism over the overheating issues plaguing the previous Snapdragon 810. Several companies that had made plans to use the 810 processor in premium smartphones had to seek ways of getting around the heating issue themselves, or opt for other processors altogether. Qualcomm denied accusations surrounding the 820.
"The rumors circulating in the media regarding Snapdragon 820 performance are false," said the company at the time. "The Snapdragon 820 improves on all IP blocks and is fabricated in the second generation of the 14nm process technology. It is meeting all of our specifications, but more importantly it is satisfying the thermal and performance specifications from our OEMs."