Security experts at Trend Micro are warning Android users of some severe programming blunders in Qualcomm's kernel-level Snapdragon code that if exploited, can be used by attackers for gaining root access and taking full control of your device.
Gaining root access on a device is a matter of concern, as it grants attackers access to admin level capabilities, allowing them to turn your device against you to snap your pictures, and snoop on your personal data including accounts’ passwords, emails, messages and photos.
The company’s own website notes that Qualcomm Snapdragon SoCs (systems on a chip) power more than a Billion smart devices, including many Internet of Things (IoTs) as of today. Thus, the issue puts many people at risk of being attacked.
Although Google has pushed out updates after Trend Micro privately reported the issues that now prevents attackers from gaining root access with a specially crafted app, users will not be getting updates anytime soon.
The security update rolls out to your device through a long chain:
Qualcomm → Google → Your device's manufacturer → Your network carrier → Your handheld over the air
"Given that many of these devices are either no longer being patched or never received any patches in the first place," said Trend engineer Wish Wu, "they would essentially be left in an insecure state without any patch forthcoming."
Unfortunately, what’s more concerning is the fact that the same vulnerable chips are used in a large number of IoT devices, which are no longer in line for security updates. This makes it possible for hackers to gain root access to these connected devices, which is more worrying.
"Smartphones aren't the only problem here," said Trend's Noah Gamer. "Qualcomm also sells their SoCs to vendors producing devices considered part of the Internet of Things, meaning these gadgets are just as at risk."
"If IoT is going to be as widespread as many experts predict, there needs to be some sort of system in place ensuring these devices are safe for public use. Security updates are an absolute necessity these days, and users of these connected devices need to know what they're dealing with."
Whatever be the reason: if security patches are not available for your device model or take too long to arrive, in both the cases it gives miscreants time to exploit the security holes to gain control of your device.
However, some users are lucky to choose Google’s handsets that get their patches direct from the tech giant automatically, making them safe from the vulnerabilities. The handsets include Nexus 5X, Nexus 6P, Nexus 6, Nexus 5, Nexus 4, Nexus 7, Nexus 9, and Nexus 10.
All of the smart devices using the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 and running a 3.10-version kernel are affected by the vulnerabilities.
The vulnerable code is present in Android version 4 to version 6. In the tests, researchers found Nexus 5, 6 and 6P, and Samsung Galaxy Note Edge using vulnerable versions of Qualy's code.
Though the researchers do not have access to every Android handset and tablet to test, the list of vulnerable devices is non-exhaustive.
Since the researchers have not disclosed full details about the flaws, the short brief about the vulnerabilities is as follows:
1. Qualcomm-related flaw (CVE-2016-0819): The vulnerability has been described by the researchers as a logic bug that allows a small section of kernel memory to be tampered with after it is freed, causing an information leakage and a Use After Free issue in Android.
2. The flaw (CVE-2016-0805) is in Qualcomm chipset kernel function get_krait_evtinfo: The get_krait_evtinfo function returns an index into an array used by other kernel functions. With the help of carefully crafted input data, it is possible to generate a malicious index, leading to a buffer overflow.
3. Gaining root access: Using both the flaws together on vulnerable devices, attackers can gain root access on the device.
The researchers will disclose the full details of exactly how to leverage the bugs at the upcoming Hack In The Box security conference in the Netherlands to be held in late May 2016.