‘Achilles’ error exposes a billion Android phones

One billion Android phones risk being attacked by hackers who take advantage of what a research company says 400 vulnerabilities have been discovered on the chips of the smartphone.

Collectively called “Achilles”, the vulnerabilities were found on streaks of code found in Qualcomm’s Snapdragon chips, which are found on almost half of all Android phones.

Investigating the DEF CON Safe Mode Security Conference Friday, researchers at Check Point security company said that phones could be transformed into spy tools to gain access to photos, videos, location data and other sensitive user details. The hacker only needs to convince a user to successfully install a seemingly benign app that does not need access rights to operate.

Hackers could spy on phone calls, attack denial of service, or insanely malicious code plants.

“You could be spied on. You could lose all your data,” said Yaniv Balmas, chief cyber research officer at Check Point. “If such vulnerabilities are found and used by malicious actors, they will find millions of mobile phone users with almost no way to protect themselves for a very long time.”

Check Point has disseminated details of its findings to Qualcomm and related phone vendors. It has not made the details public to offer hackers no advantage.

Qualcomm said it tackles the vulnerability; releasing a new compiler and a new software development kit. But it is up to phone vendor to distribute patches for each model phone that carries the affected processor.

“For vendors, this means they need to test every DSP application they use and fix any issues [that] may occur, “Balmas said.” Then they have to send these fixes to all the devices in the market. “

Snapdragon chipsets have been a welcome addition to smartphones, portable devices, and automotive systems. It is embraced for its speed and performance benchmarks, energy efficiency, 5G support, graphical handling, and embedded fingerprint reading capability.

Digital signal processors do not attract the same degree of research by researchers into possible shortcomings as other computer components, because technical specs are usually closely monitored by manufacturers.

“While DSP chips provide a relatively economical solution that enables mobile phones to provide end-users with more functionality and enable innovative features, they do come at a cost,” Check Point researchers report in an online report. These chips introduce new attack surfaces and weaknesses to these mobile devices. DSP chips are much more vulnerable to risks because they are managed as ‘Black Boxes’, as they can be very complex for anyone other than their manufacturer to to control their design, functionality or code. “

“Our research managed to break these boundaries and we were able to take a relatively easy look at the internal design and implementation of the chip. Since such research is very rare, it may explain why we have so many vulnerable code sections found, “said Balmas.

Snapdragon system-on-a-chip products can be found on leading phone products by Google, Samsung, Xiaomi, LG, and OnePlus. Apple provides its own processors so that iPhones are not affected by Achilles.

Qualcomm said it had no evidence that the vulnerabilities were “currently being exploited”, but complained customers were “updating their devices when patches are available and only installing applications from trusted locations such as the Google Play Store.”

© 2020 Science X Network