[HN Gopher] Snapdragon chip flaws put 1B Android phones at risk ... ___________________________________________________________________ Snapdragon chip flaws put 1B Android phones at risk of data theft Author : jiripospisil Score : 161 points Date : 2020-08-08 15:51 UTC (7 hours ago) (HTM) web link (arstechnica.com) (TXT) w3m dump (arstechnica.com) | awinter-py wrote: | Checkpoint's release for these vulnerabilities is here | https://blog.checkpoint.com/2020/08/06/achilles-small-chip-b... | | not clear from the writeup how many devices are affected. They | fuzz-tested 'a DSP chip' (sounds like just one) and then say that | Qualcomm products are used in 40% of devices. | | press release focuses on exfiltrating media + GPS, not clear if | this is a rootkit that can access the keyboard or take over your | email. | | 'more than 400 vulnerable pieces of code were found' not clear to | me -- maybe I don't know how fuzzing DSPs work? Do they have | access to the source code because the image decoder is open | source? | Ijumfs wrote: | Android phones are constantly stealing your data, I'm not sure | why a processor vulnerability would be cause for alarm when your | entire OS is a data exfiltration and surveillance platform. | Wronnay wrote: | That's simply not true. AOSP is open source and you can run a | Android phone without google services. | | You are generalizing the problem of some phone manufactures | which deliver phones with software which spies on you but the | OS isn't a surveillance platform - instead it's more open than | iOS - you can't look at the source code of iOS as simple as you | can look at the Android source code. | xarthna wrote: | Can you explain this more? | tpmx wrote: | Yikes. | | Could Google theoretically remotely disable/remove apps that they | identify using the DSP in malicious ways? | jm4 wrote: | If it's in the DSP it may not need to be an app that runs the | exploit. Sounds like any malicious audio or video file could do | it. Could be something delivered via a streaming site, email, | audio embedded in a webpage, etc. This sounds like it could be | a very big deal. | | It's great that Qualcomm has a fix, but most of the susceptible | devices will likely never get it in an update from their | manufacturers. And I wonder if there will be a performance or | battery life hit like the awful performance hit in the Intel | chips. That one cost me a 30% hit on my servers and resulted in | 6 figures of unplanned spending to replace that lost capacity. | tpmx wrote: | > If it's in the DSP it may not need to be an app that runs | the exploit. Sounds like any malicious audio or video file | could do it. Could be something delivered via a streaming | site, email, audio embedded in a webpage, etc. This sounds | like it could be a very big deal. | | Seems unlikely to me. DSP data vs DSP code - I think it's in | the latter that you'll find vulnerabilities. | blihp wrote: | Second paragraph in the article: malicious media (i.e. | video) can exploit it | roneythomas6 wrote: | Yes they can through google play protect. But first they need | to identify the app. | tpmx wrote: | You'd think they'd launch a crash program immediately to do | exactly this. "Noone sleeps until this is fixed." | | Somehow I doubt that is going to happen, and that's also why | I don't use Android. | steelframe wrote: | "Noone sleeps until this is fixed" sounds like a great way | to make things even worse. | tpmx wrote: | Poor underpaid google workers. | Xylakant wrote: | It's not about pay. People that don't sleep make mistakes | - no matter what you pay them. Rest is an essential part | of performance. Some people may need more and others | less, but there's no one that doesn't. | fuzxi wrote: | No need to take it so literally. I read "No one sleeps | until this is fixed" as "This is the top priority, push | everything else aside. Do not screw around, stay late if | you can. Everyone who can work on this needs to fix it." | tpmx wrote: | Oh ffs... | | If your 2020 Google had been in charge of the Apollo 13 | mission it would have been game over. | | .. | | I will spell it out: | | Sometimes your software team messes up really badly. This | would be one of those times: 1 billion vulnerable people. | | These things don't happen that often, but when they do | happen your better step up. | [deleted] | giudittapasta wrote: | Uhm wasn't this already the case in augustus 2019? | ChuckNorris89 wrote: | The article is pretty spartan in details regarding the | vulnerability but as I understand it, the DSP is the attack | vector. | | Wouldn't it make sense for Qualcomm to hardware/software sandbox | the memory content being processed by each part of the SoC? | | Would such an attack also work on PCs with iGPUs, since they | share the system memory? | not2b wrote: | If they isolate the memory that each part of the SoC can | process, that means large amounts of data (for high definition | video) have to be copied from one processor to another, so | there's direct access. Then if the DSP's firmware has buffer | overrun bugs, craft a suitable video and read/write whatever | memory area you want to. (Not sure that this is what the bug | is, but it's my guess). | ajross wrote: | They likely do sandbox it to some extent. It's routine for | these devices to have their own SRAM decoupled from main | memory, and to have a hardware-managed window to get to OS- | visible RAM. Often there's a DMA controller that does that | instead, etc... | | But all sandboxes can have holes. The phrasing in the article | actually makes it sound more like this is a software bug in the | firmware and not a hardware thing per se. | | GPUs likewise have a somewhat cooked visibility to DRAM and | some amount of mapping and hardware DMA intermediate | interfaces. But sure, a similar GPU flaw could do the same | thing. | acdha wrote: | Yes - that's what iOS devices and modern computers do. The | risks of allowing unrestricted DMA started to get publicized in | the mid-2000s when FireWire was used to attack locked Macs. | IOMMUs are pretty common now but the OS still has to enable | them. | RL_Quine wrote: | The modern version of that is thunderbolt naturally. | ajross wrote: | IOMMUs aren't the only way to get secure DMA, it's more | common for small devices to have a double-ended device where | the other end (OS vs. DSP in this case) needs to set up its | own pointers itself. Doing it via page mapping is very | heavyweight and used for performance reasons when you need | both safety AND fast random access to large regions. | acdha wrote: | Yes - my main reaction was just that it was something of a | surprise to see Qualcomm not using any of the common | countermeasures for a class of attack which is not new and | for which they've had problems in the past. | [deleted] | ezekiel68 wrote: | Yet another reason why the protectionist hit job on Huawei was a | bad idea. My Mate 30 Pro will not be affected by this flaw. | spoopyskelly wrote: | > My Mate 30 Pro will not be affected by this flaw | | It will just keep being affected by being a bad phone. | 0xcde4c3db wrote: | Ah, so it's actually pretty simple to avoid this vulnerability: | all I need to do is upgrade to an Android phone based on one of | the several competitive Snapdragon alternatives that are bound to | be widely available given the staggering size of the market. | | Hold on, I'm sure I'll find one any minute now... | gruez wrote: | What about samsung exynos and mediatek? | 0xcde4c3db wrote: | As far as I can tell, in the US market they're almost | entirely confined to low-end models and non-phone devices | (tablets/Chromebooks/smart TVs). Importing, as a practical | matter, seems to mean no support/warranty, and it looks like | most models intended for other regions don't have full | support for the bands used by US networks. | userbinator wrote: | MTK is open by default (no bootloader lock, easy unbrickable | recovery), or at least that's what it was a few years ago | when I bought one. Great for the modding scene, but probably | not liked by the authoritarian-paranoid. | topicseed wrote: | The new Samsung Galaxy Note 20 Ultra ships with Exynos in the | UK and EU but performance drops against the same phone | running Snapdragon (shipped in the US). | | So whilst the security might be better, we're (tech geeks in | EU/UK) don't want to pay the same price for a less performant | phone sadly :/ | | But maybe in a few iterations! | iakov wrote: | I'm wondering why do people need the "performant phone". | All the Android phones that I've had or seen in the last | few years run the OS and apps with no issues. The amount of | RAM might limit the multi-tasking, but otherwise I can't | imagine a real-life use-case where I may want a "performant | phone". | | Can you maybe shed some light on this for me, please? | robocat wrote: | Using sarcasm is against HN guidelines - covered by "Don't be | snarky". Personally I enjoy being sarcastic, but I less enjoy | the sarcasm of others! | zolosa wrote: | There was KIRIN from Huawei which was quite good before US | killed it due to national security concerns. | | And now US chip is genuine security concern for rest of the | world. | fulafel wrote: | There is no reason to believe Qualcomm is more broken than | competitors wrt this class of vulns. | | (read the article or the original blog, q: "The more than 400 | distinct bugs") | 0xcde4c3db wrote: | True, but the larger point is that the monoculture arguably | makes the impact of any given vulnerability worse. Similar to | how any given CDN/cloud provider probably has much better | uptime than old-school web hosts, but now roughly half the | Internet can be broken by one provider having an outage. | swordbeta wrote: | DEF CON talk given by Check Point a few days ago: | https://www.youtube.com/watch?v=CrLJ29quZY8 | afrcnc wrote: | Blog spam. Typical ArsTechnica these days. | | Here's the actual report: | https://blog.checkpoint.com/2020/08/06/achilles-small-chip-b... | wffurr wrote: | Thanks for the link, but the Ars report provides some | additional context that I think is informative and useful, and | is written in a more readable style than the Checkpoint press | release. | stefan_ wrote: | Honestly this "report" is similarly devoid of any substantive | content despite being the original source. At some point they | discuss the dictionary meaning of DSP. | | Your best bet for any details is apparently this DEF CON | presentation: | | https://www.youtube.com/watch?v=CrLJ29quZY8 | krn wrote: | I have never had an iOS device in my life, but these three | paragraphs provide probably the most convincing reason to finally | make the switch: | | > A billion or more Android devices are vulnerable to hacks that | can turn them into spying tools by exploiting more than 400 | vulnerabilities in Qualcomm's Snapdragon chip, researchers | reported this week. | | > The vulnerabilities can be exploited when a target downloads a | video or other content that's rendered by the chip. Targets can | also be attacked by installing malicious apps that require no | permissions at all. | | > From there, attackers can monitor locations and listen to | nearby audio in real time and exfiltrate photos and videos. | Exploits also make it possible to render the phone completely | unresponsive. Infections can be hidden from the operating system | in a way that makes disinfecting difficult. | lebaux wrote: | There is no specific information available about the nature of | the vulnerabilities or possible mitigation. | | Arstechnica.com is sensationalizing the news, when it comes to | security I would rely on actual sec researchers. | | https://blog.checkpoint.com/2020/08/06/achilles-small-chip-b... | acdha wrote: | I'm not sure what your point was: that's the same article Ars | linked, with the same message and no additional information | because, as the Ars writer noted, they're withholding details | until the vendors fix it. | afrcnc wrote: | No. He's saying that without the technical details, Ars is | overblowing this issue. Maybe exploitation requires radio | gear of $5k and being present next to the victim while | their BLE is turned on. Without the details, you can't say | if this is a big issue or just another overhyped Check | Point research paper, as this company has a history of | doing. | spoopyskelly wrote: | The Ars article includes the CVEs. | slipheen wrote: | I like Apples devices, but aren't they just as vulnerable to | CPU bugs? | | There's plenty of good reasons to use an iOS device (and some | good reasons to avoid one), but I wouldn't think that CPU bug | would be a particularly strong reason on either side. | GeekyBear wrote: | Bugs can be discovered anywhere. The question is whether | those bugs will be patched. | | The original iPhone SE is about to start it's sixth year of | OS updates and security patches. | | Which works out to less than $70 per supported year. | | That's a legitimate advantage over the Android ecosystem. | darksaints wrote: | In my personal experience, the sole reason for those | updates is to cripple your hardware and battery life in | order for you to upgrade to newer hardware. | lotsofpulp wrote: | In my experience, my iPhone 6 is perfectly usable, as is | an old SE and 6S Plus. Batteries degrade, and after being | replaced they work fine. And they're still getting | updates this year. | Abishek_Muthian wrote: | >Batteries degrade, and after being replaced they work | fine. | | If the batteries were user replaceable, it would have | been a perfect story. | | Sending the device back to the manufacturer (authorised | service center) can be inconvenience(data formatting, | TOTP apps etc.) at best to security breach(malware | install, device imaging etc.) at worst. | | Also, if indeed a user decides to replace the battery on | their own, an iPhone is the least repairable phone out | there and getting worse with every iteration. | rstupek wrote: | The procedure to get an iphone battery replaced is to | make an appointment at the apple store and they swap it | out as you wait. | jsheard wrote: | That's great if you live near an Apple Store, but only 25 | countries have Apple Stores and half of those only have | 1-3 stores for the whole country. | Xylakant wrote: | I can second this. I'm hanging on to my SE for the form | factor and it's still going strong. My wife's SE is | nearing a battery replacement after what feels like half | a decade of usage. I dread the day the SE will no longer | be supported. | | Typing this on an iPhone SE | christophilus wrote: | Typing this on a perfectly fast iPhone 6. | GeekyBear wrote: | Refusing to fix bugs and issue patches is much cheaper, | if forcing obsolescence is your goal. | darksaints wrote: | The vast majority of security vulnerabilities and bugs | that end users experience are fixed within the first few | years of the device's shelf life. Security | vulnerabilities tend to go unnoticed by most end users, | and therefore don't really play a role in forcing users | to upgrade. | | Wouldn't it be nice though if users could choose to patch | security vulnerabilities without installing updates that | deliberately slow down the phone? | acdha wrote: | Do you have a citation supporting the claim that old bugs | don't affect users? That's certainly not true in the | Windows world. | | Similarly, "updates that deliberately slow down the | phone" sounds like a conspiracy theory. The closest we've | come to that being real would have required a caveat "... | when your battery has degraded to the point that the | phone would otherwise crash", which is an important | distinction. | darksaints wrote: | It's pretty hard to fine a company that has one of the | world's largest legal departments EUR25m based on a | conspiracy theory. And no, that caveat isn't even close | to the truth. Apple states that they do it "once the | battery begins to degrade", which is so ambiguous that it | could even apply to brand new batteries, because _all_ | batteries begin to degrade upon their first usage. In my | case, I had a 9 month old iPhone 6 that drastically | slowed down due to the update. When the apple store told | me that it only slowed down phones with aging batteries, | I asked them to replace my battery for my phone which was | still under warranty. They "tested" it and told me my | battery life was perfectly fine. Fuck that...have not and | will not ever buy an apple product ever again. | dongvsascript wrote: | and literally any 10 year old android phone can run not | just the latest security patches but even the latest | android. you are taking the iphone limitation of 'os must | be from hardware manufacturer' and for some reason applying | it to android phones. | | my 10 year old motorola nexus is running android 10 -which | is the current version. you install the new os on android | by downloading an app, which installs the new os on reboot. | it takes 15 minutes, and gramma can do it. | | next you'll tell me mac laptops are better because you | can't put windows 10 on your old hp laptop, because hp's | system image for it only goes to windows 7. | easton wrote: | Dang, I wish my grandma was a AOSP contributor. | | But most phones in the United States sold within the last | decade had the bootloaders locked so you can't install | another rom even if you knew how to do it. | dongvsascript wrote: | this is simply false. very few phones have actually | 'locked' bootloaders. as in, can't go into settings and | uncheck 'locked' checkbox to unlock it. | | when they do, you can easily unlock it -usually by simply | asking your service provider or the manufacturer. and the | ones you can't -yes, you have to hack it with a usb cable | and a computer. for like .05% of phones. | | and google's phones are not ever locked in any way, being | the proper comparison, since you're comparing phones to | apple. | | what we have here with the op is trump voter logic, so he | can feel better about himself by creating a fake reality | where he is king. 'mr trump, i'm saying death as %of | population, not tested cases.' - 'well, you can't do | that.' | | i got an old android, i'm gonna put the latest os on it. | 'well, you can't do that.' | | no mr apple. you are the one who can't do that. | fuzxi wrote: | HN is not for politics, and especially not for political | shit-flinging. | dongvsascript wrote: | ah, a random guy who says we can't take a phone dispute | and compare it to an existing political dispute. thanks | for your on-topic comment, you really improved a | conversation about phones. | | you, literally:"you are taking deaths as a percent of | population. you can't do that" | | i just did. twice. | fuzxi wrote: | What a selfish way of looking at things. The site | guidelines [1] exist for a reason, one of those reasons | being that most HN users don't open the comments of an | article about a few severe Qualcomm CVEs to read comments | randomly laced with "orange man bad". | | [1] https://news.ycombinator.com/newsguidelines.html | limomium wrote: | Could you link me an online resource detailing that | process? I've been wanting to put the accumulation of old | phones to use. | dongvsascript wrote: | go to lineageos, click on your phone. this'll get all | your old phines the same type of android. | | it's not what i do -i used a fairly weird build. | | the generic steps for ine way of doing it: download a | recovery program, install it on the phone. pick the | android rom you want from the recovery program. click | install. it'll reboot your phone and install it. this is | the way a gramma can do it. | | a prefer hooking it up to my laptop with a usb cable and | just typing the commands in the android shell. that is | the way gramma cannot do it. | whynotminot wrote: | Lol who's your gramma? | krn wrote: | I like Android One devices and the complete freedom of choice | they provide me, but the likehood and the severity of CPU | vulnerabilites seem to be much higher with Snapdragon chips. | | Also, the security patches arrive much slower to Android than | to iOS devices. | | And I am especially concerned about ARM's TrustZone, which | seems to be inferior to Apple's Secure Enclave. | esperent wrote: | This is the first exploit specific to snapdragon that I've | ever heard of. Were there others? | krn wrote: | Multiple Kernel Vulnerabilities Affecting All Qualcomm | Devices (2020) | | https://blog.zimperium.com/multiple-kernel- | vulnerabilities-a... | | The Road to Qualcomm TrustZone Apps Fuzzing (2019) | | https://research.checkpoint.com/2019/the-road-to- | qualcomm-tr... | | QualPwn - Exploiting Qualcomm WLAN and Modem Over The Air | (2019) | | https://blade.tencent.com/en/advisories/qualpwn/ | | QuadRooter: New Android Vulnerabilities in Over 900 | Million Devices (2016) | | https://blog.checkpoint.com/2016/08/07/quadrooter/ | stefan_ wrote: | Whats special here? Apple similarly had full remote kernel | takeovers from vulnerabilities in e.g. a Broadcom WiFi chip. ___________________________________________________________________ (page generated 2020-08-08 23:00 UTC)