Security Exploits Put Over a Billion Devices Powered by Snapdragon SoCs at Risk
Qualcomm claims that its Snapdragon processing chips power more than a billion devices. What most users don't know about is a severe security vulnerability that, if exploited, can give a hacker root access on the target Snapdragon-powered device. Thanks to this Snapdragon security vulnerability, more than a billion Android devices could be at risk as hackers only have to use a malicious app to gain root access.
Snapdragon security exploit putting over a billion devices at risk
Many of the devices powered by Snapdragon chipsets are at a risk a severe exploit in the Qualcomm Snapdragon chip. Security researchers at TrendLabs have discovered serious Snapdragon security vulnerabilities that could be exploited by an attacker by simply running a malicious app. Due to some severe programming oversights (CVE-2016-0819 and CVE-2016-0805) in Qualcomm's kernel-level Snapdragon code, hackers could exploit the vulnerabilities to gain root access on a Snapdragon-powered Android device.
The security team hasn't disclosed full details of the attack "to prevent further attacks that may target either the patched vulnerabilities or similar ones that have yet to be discovered." However, it claims that an attacker could gain root access of any device using a malicious app. After an attacker gains root access to your device, they can potentially do whatever you can yourself do on your own device - from gaining access to your private data to installing more malware on your phone, the nefarious possibilities are endless.
As manufacturers heavily customize the kernel and SELinux policies of their devices, it is difficult to exactly identify the vulnerable devices. Google has suggested that the Snapdragon security vulnerabilities affect devices running Android version earlier than 4.4.4 KitKat to 6.0.1 Marshmallow.
We believe that any Snapdragon-powered Android device with a 3.10-version kernel is potentially at risk of this attack. As mentioned earlier, given that many of these devices are either no longer being patched or never received any patches in the first place, they would essentially be left in an insecure state without any patch forthcoming.
Google has patched the vulnerabilities in its February security update. However, as we all know how long it takes the company's partners to roll out the software updates, most of the devices are still at risk.
Users can do nothing but to ensure that they install the security updates as soon as they receive the updates. To ensure that you are always safe from any malicious apps, make sure to never allow app installations from unknown sources out of Google's Play Store.
What's more dangerous than smartphones being hacked?
The report also shades light on an increasingly important issue of the security of Internet of Things (IoT). The latest report has suggested that Qualcomm's Snapdragon chip also powers a large number of IoT devices that are no longer receiving security updates, potentially giving root access to attackers.
SoCs like the ones developed by Snapdragon are already making their rounds in IoT devices including certain wearables. If the industry can't find a way to effectively patch these vulnerabilities, there could be massive repercussions.
Since most of the IoT devices are being developed to be cheap and "disposable," there is currently no focus on sending regular security patches to many of these connected devices. But if we are going to welcome connected devices in our homes, tech companies will have to ensure a better security control over these devices than they have over smartphones to make these devices safe for public use.
For more details, you can read the complete report here.