[HN Gopher] Snapdragon chip flaws put 1B Android phones at risk ...
___________________________________________________________________
Snapdragon chip flaws put 1B Android phones at risk of data theft
Author : jiripospisil
Score : 161 points
Date : 2020-08-08 15:51 UTC (7 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| awinter-py wrote:
| Checkpoint's release for these vulnerabilities is here
| https://blog.checkpoint.com/2020/08/06/achilles-small-chip-b...
|
| not clear from the writeup how many devices are affected. They
| fuzz-tested 'a DSP chip' (sounds like just one) and then say that
| Qualcomm products are used in 40% of devices.
|
| press release focuses on exfiltrating media + GPS, not clear if
| this is a rootkit that can access the keyboard or take over your
| email.
|
| 'more than 400 vulnerable pieces of code were found' not clear to
| me -- maybe I don't know how fuzzing DSPs work? Do they have
| access to the source code because the image decoder is open
| source?
| Ijumfs wrote:
| Android phones are constantly stealing your data, I'm not sure
| why a processor vulnerability would be cause for alarm when your
| entire OS is a data exfiltration and surveillance platform.
| Wronnay wrote:
| That's simply not true. AOSP is open source and you can run a
| Android phone without google services.
|
| You are generalizing the problem of some phone manufactures
| which deliver phones with software which spies on you but the
| OS isn't a surveillance platform - instead it's more open than
| iOS - you can't look at the source code of iOS as simple as you
| can look at the Android source code.
| xarthna wrote:
| Can you explain this more?
| tpmx wrote:
| Yikes.
|
| Could Google theoretically remotely disable/remove apps that they
| identify using the DSP in malicious ways?
| jm4 wrote:
| If it's in the DSP it may not need to be an app that runs the
| exploit. Sounds like any malicious audio or video file could do
| it. Could be something delivered via a streaming site, email,
| audio embedded in a webpage, etc. This sounds like it could be
| a very big deal.
|
| It's great that Qualcomm has a fix, but most of the susceptible
| devices will likely never get it in an update from their
| manufacturers. And I wonder if there will be a performance or
| battery life hit like the awful performance hit in the Intel
| chips. That one cost me a 30% hit on my servers and resulted in
| 6 figures of unplanned spending to replace that lost capacity.
| tpmx wrote:
| > If it's in the DSP it may not need to be an app that runs
| the exploit. Sounds like any malicious audio or video file
| could do it. Could be something delivered via a streaming
| site, email, audio embedded in a webpage, etc. This sounds
| like it could be a very big deal.
|
| Seems unlikely to me. DSP data vs DSP code - I think it's in
| the latter that you'll find vulnerabilities.
| blihp wrote:
| Second paragraph in the article: malicious media (i.e.
| video) can exploit it
| roneythomas6 wrote:
| Yes they can through google play protect. But first they need
| to identify the app.
| tpmx wrote:
| You'd think they'd launch a crash program immediately to do
| exactly this. "Noone sleeps until this is fixed."
|
| Somehow I doubt that is going to happen, and that's also why
| I don't use Android.
| steelframe wrote:
| "Noone sleeps until this is fixed" sounds like a great way
| to make things even worse.
| tpmx wrote:
| Poor underpaid google workers.
| Xylakant wrote:
| It's not about pay. People that don't sleep make mistakes
| - no matter what you pay them. Rest is an essential part
| of performance. Some people may need more and others
| less, but there's no one that doesn't.
| fuzxi wrote:
| No need to take it so literally. I read "No one sleeps
| until this is fixed" as "This is the top priority, push
| everything else aside. Do not screw around, stay late if
| you can. Everyone who can work on this needs to fix it."
| tpmx wrote:
| Oh ffs...
|
| If your 2020 Google had been in charge of the Apollo 13
| mission it would have been game over.
|
| ..
|
| I will spell it out:
|
| Sometimes your software team messes up really badly. This
| would be one of those times: 1 billion vulnerable people.
|
| These things don't happen that often, but when they do
| happen your better step up.
| [deleted]
| giudittapasta wrote:
| Uhm wasn't this already the case in augustus 2019?
| ChuckNorris89 wrote:
| The article is pretty spartan in details regarding the
| vulnerability but as I understand it, the DSP is the attack
| vector.
|
| Wouldn't it make sense for Qualcomm to hardware/software sandbox
| the memory content being processed by each part of the SoC?
|
| Would such an attack also work on PCs with iGPUs, since they
| share the system memory?
| not2b wrote:
| If they isolate the memory that each part of the SoC can
| process, that means large amounts of data (for high definition
| video) have to be copied from one processor to another, so
| there's direct access. Then if the DSP's firmware has buffer
| overrun bugs, craft a suitable video and read/write whatever
| memory area you want to. (Not sure that this is what the bug
| is, but it's my guess).
| ajross wrote:
| They likely do sandbox it to some extent. It's routine for
| these devices to have their own SRAM decoupled from main
| memory, and to have a hardware-managed window to get to OS-
| visible RAM. Often there's a DMA controller that does that
| instead, etc...
|
| But all sandboxes can have holes. The phrasing in the article
| actually makes it sound more like this is a software bug in the
| firmware and not a hardware thing per se.
|
| GPUs likewise have a somewhat cooked visibility to DRAM and
| some amount of mapping and hardware DMA intermediate
| interfaces. But sure, a similar GPU flaw could do the same
| thing.
| acdha wrote:
| Yes - that's what iOS devices and modern computers do. The
| risks of allowing unrestricted DMA started to get publicized in
| the mid-2000s when FireWire was used to attack locked Macs.
| IOMMUs are pretty common now but the OS still has to enable
| them.
| RL_Quine wrote:
| The modern version of that is thunderbolt naturally.
| ajross wrote:
| IOMMUs aren't the only way to get secure DMA, it's more
| common for small devices to have a double-ended device where
| the other end (OS vs. DSP in this case) needs to set up its
| own pointers itself. Doing it via page mapping is very
| heavyweight and used for performance reasons when you need
| both safety AND fast random access to large regions.
| acdha wrote:
| Yes - my main reaction was just that it was something of a
| surprise to see Qualcomm not using any of the common
| countermeasures for a class of attack which is not new and
| for which they've had problems in the past.
| [deleted]
| ezekiel68 wrote:
| Yet another reason why the protectionist hit job on Huawei was a
| bad idea. My Mate 30 Pro will not be affected by this flaw.
| spoopyskelly wrote:
| > My Mate 30 Pro will not be affected by this flaw
|
| It will just keep being affected by being a bad phone.
| 0xcde4c3db wrote:
| Ah, so it's actually pretty simple to avoid this vulnerability:
| all I need to do is upgrade to an Android phone based on one of
| the several competitive Snapdragon alternatives that are bound to
| be widely available given the staggering size of the market.
|
| Hold on, I'm sure I'll find one any minute now...
| gruez wrote:
| What about samsung exynos and mediatek?
| 0xcde4c3db wrote:
| As far as I can tell, in the US market they're almost
| entirely confined to low-end models and non-phone devices
| (tablets/Chromebooks/smart TVs). Importing, as a practical
| matter, seems to mean no support/warranty, and it looks like
| most models intended for other regions don't have full
| support for the bands used by US networks.
| userbinator wrote:
| MTK is open by default (no bootloader lock, easy unbrickable
| recovery), or at least that's what it was a few years ago
| when I bought one. Great for the modding scene, but probably
| not liked by the authoritarian-paranoid.
| topicseed wrote:
| The new Samsung Galaxy Note 20 Ultra ships with Exynos in the
| UK and EU but performance drops against the same phone
| running Snapdragon (shipped in the US).
|
| So whilst the security might be better, we're (tech geeks in
| EU/UK) don't want to pay the same price for a less performant
| phone sadly :/
|
| But maybe in a few iterations!
| iakov wrote:
| I'm wondering why do people need the "performant phone".
| All the Android phones that I've had or seen in the last
| few years run the OS and apps with no issues. The amount of
| RAM might limit the multi-tasking, but otherwise I can't
| imagine a real-life use-case where I may want a "performant
| phone".
|
| Can you maybe shed some light on this for me, please?
| robocat wrote:
| Using sarcasm is against HN guidelines - covered by "Don't be
| snarky". Personally I enjoy being sarcastic, but I less enjoy
| the sarcasm of others!
| zolosa wrote:
| There was KIRIN from Huawei which was quite good before US
| killed it due to national security concerns.
|
| And now US chip is genuine security concern for rest of the
| world.
| fulafel wrote:
| There is no reason to believe Qualcomm is more broken than
| competitors wrt this class of vulns.
|
| (read the article or the original blog, q: "The more than 400
| distinct bugs")
| 0xcde4c3db wrote:
| True, but the larger point is that the monoculture arguably
| makes the impact of any given vulnerability worse. Similar to
| how any given CDN/cloud provider probably has much better
| uptime than old-school web hosts, but now roughly half the
| Internet can be broken by one provider having an outage.
| swordbeta wrote:
| DEF CON talk given by Check Point a few days ago:
| https://www.youtube.com/watch?v=CrLJ29quZY8
| afrcnc wrote:
| Blog spam. Typical ArsTechnica these days.
|
| Here's the actual report:
| https://blog.checkpoint.com/2020/08/06/achilles-small-chip-b...
| wffurr wrote:
| Thanks for the link, but the Ars report provides some
| additional context that I think is informative and useful, and
| is written in a more readable style than the Checkpoint press
| release.
| stefan_ wrote:
| Honestly this "report" is similarly devoid of any substantive
| content despite being the original source. At some point they
| discuss the dictionary meaning of DSP.
|
| Your best bet for any details is apparently this DEF CON
| presentation:
|
| https://www.youtube.com/watch?v=CrLJ29quZY8
| krn wrote:
| I have never had an iOS device in my life, but these three
| paragraphs provide probably the most convincing reason to finally
| make the switch:
|
| > A billion or more Android devices are vulnerable to hacks that
| can turn them into spying tools by exploiting more than 400
| vulnerabilities in Qualcomm's Snapdragon chip, researchers
| reported this week.
|
| > The vulnerabilities can be exploited when a target downloads a
| video or other content that's rendered by the chip. Targets can
| also be attacked by installing malicious apps that require no
| permissions at all.
|
| > From there, attackers can monitor locations and listen to
| nearby audio in real time and exfiltrate photos and videos.
| Exploits also make it possible to render the phone completely
| unresponsive. Infections can be hidden from the operating system
| in a way that makes disinfecting difficult.
| lebaux wrote:
| There is no specific information available about the nature of
| the vulnerabilities or possible mitigation.
|
| Arstechnica.com is sensationalizing the news, when it comes to
| security I would rely on actual sec researchers.
|
| https://blog.checkpoint.com/2020/08/06/achilles-small-chip-b...
| acdha wrote:
| I'm not sure what your point was: that's the same article Ars
| linked, with the same message and no additional information
| because, as the Ars writer noted, they're withholding details
| until the vendors fix it.
| afrcnc wrote:
| No. He's saying that without the technical details, Ars is
| overblowing this issue. Maybe exploitation requires radio
| gear of $5k and being present next to the victim while
| their BLE is turned on. Without the details, you can't say
| if this is a big issue or just another overhyped Check
| Point research paper, as this company has a history of
| doing.
| spoopyskelly wrote:
| The Ars article includes the CVEs.
| slipheen wrote:
| I like Apples devices, but aren't they just as vulnerable to
| CPU bugs?
|
| There's plenty of good reasons to use an iOS device (and some
| good reasons to avoid one), but I wouldn't think that CPU bug
| would be a particularly strong reason on either side.
| GeekyBear wrote:
| Bugs can be discovered anywhere. The question is whether
| those bugs will be patched.
|
| The original iPhone SE is about to start it's sixth year of
| OS updates and security patches.
|
| Which works out to less than $70 per supported year.
|
| That's a legitimate advantage over the Android ecosystem.
| darksaints wrote:
| In my personal experience, the sole reason for those
| updates is to cripple your hardware and battery life in
| order for you to upgrade to newer hardware.
| lotsofpulp wrote:
| In my experience, my iPhone 6 is perfectly usable, as is
| an old SE and 6S Plus. Batteries degrade, and after being
| replaced they work fine. And they're still getting
| updates this year.
| Abishek_Muthian wrote:
| >Batteries degrade, and after being replaced they work
| fine.
|
| If the batteries were user replaceable, it would have
| been a perfect story.
|
| Sending the device back to the manufacturer (authorised
| service center) can be inconvenience(data formatting,
| TOTP apps etc.) at best to security breach(malware
| install, device imaging etc.) at worst.
|
| Also, if indeed a user decides to replace the battery on
| their own, an iPhone is the least repairable phone out
| there and getting worse with every iteration.
| rstupek wrote:
| The procedure to get an iphone battery replaced is to
| make an appointment at the apple store and they swap it
| out as you wait.
| jsheard wrote:
| That's great if you live near an Apple Store, but only 25
| countries have Apple Stores and half of those only have
| 1-3 stores for the whole country.
| Xylakant wrote:
| I can second this. I'm hanging on to my SE for the form
| factor and it's still going strong. My wife's SE is
| nearing a battery replacement after what feels like half
| a decade of usage. I dread the day the SE will no longer
| be supported.
|
| Typing this on an iPhone SE
| christophilus wrote:
| Typing this on a perfectly fast iPhone 6.
| GeekyBear wrote:
| Refusing to fix bugs and issue patches is much cheaper,
| if forcing obsolescence is your goal.
| darksaints wrote:
| The vast majority of security vulnerabilities and bugs
| that end users experience are fixed within the first few
| years of the device's shelf life. Security
| vulnerabilities tend to go unnoticed by most end users,
| and therefore don't really play a role in forcing users
| to upgrade.
|
| Wouldn't it be nice though if users could choose to patch
| security vulnerabilities without installing updates that
| deliberately slow down the phone?
| acdha wrote:
| Do you have a citation supporting the claim that old bugs
| don't affect users? That's certainly not true in the
| Windows world.
|
| Similarly, "updates that deliberately slow down the
| phone" sounds like a conspiracy theory. The closest we've
| come to that being real would have required a caveat "...
| when your battery has degraded to the point that the
| phone would otherwise crash", which is an important
| distinction.
| darksaints wrote:
| It's pretty hard to fine a company that has one of the
| world's largest legal departments EUR25m based on a
| conspiracy theory. And no, that caveat isn't even close
| to the truth. Apple states that they do it "once the
| battery begins to degrade", which is so ambiguous that it
| could even apply to brand new batteries, because _all_
| batteries begin to degrade upon their first usage. In my
| case, I had a 9 month old iPhone 6 that drastically
| slowed down due to the update. When the apple store told
| me that it only slowed down phones with aging batteries,
| I asked them to replace my battery for my phone which was
| still under warranty. They "tested" it and told me my
| battery life was perfectly fine. Fuck that...have not and
| will not ever buy an apple product ever again.
| dongvsascript wrote:
| and literally any 10 year old android phone can run not
| just the latest security patches but even the latest
| android. you are taking the iphone limitation of 'os must
| be from hardware manufacturer' and for some reason applying
| it to android phones.
|
| my 10 year old motorola nexus is running android 10 -which
| is the current version. you install the new os on android
| by downloading an app, which installs the new os on reboot.
| it takes 15 minutes, and gramma can do it.
|
| next you'll tell me mac laptops are better because you
| can't put windows 10 on your old hp laptop, because hp's
| system image for it only goes to windows 7.
| easton wrote:
| Dang, I wish my grandma was a AOSP contributor.
|
| But most phones in the United States sold within the last
| decade had the bootloaders locked so you can't install
| another rom even if you knew how to do it.
| dongvsascript wrote:
| this is simply false. very few phones have actually
| 'locked' bootloaders. as in, can't go into settings and
| uncheck 'locked' checkbox to unlock it.
|
| when they do, you can easily unlock it -usually by simply
| asking your service provider or the manufacturer. and the
| ones you can't -yes, you have to hack it with a usb cable
| and a computer. for like .05% of phones.
|
| and google's phones are not ever locked in any way, being
| the proper comparison, since you're comparing phones to
| apple.
|
| what we have here with the op is trump voter logic, so he
| can feel better about himself by creating a fake reality
| where he is king. 'mr trump, i'm saying death as %of
| population, not tested cases.' - 'well, you can't do
| that.'
|
| i got an old android, i'm gonna put the latest os on it.
| 'well, you can't do that.'
|
| no mr apple. you are the one who can't do that.
| fuzxi wrote:
| HN is not for politics, and especially not for political
| shit-flinging.
| dongvsascript wrote:
| ah, a random guy who says we can't take a phone dispute
| and compare it to an existing political dispute. thanks
| for your on-topic comment, you really improved a
| conversation about phones.
|
| you, literally:"you are taking deaths as a percent of
| population. you can't do that"
|
| i just did. twice.
| fuzxi wrote:
| What a selfish way of looking at things. The site
| guidelines [1] exist for a reason, one of those reasons
| being that most HN users don't open the comments of an
| article about a few severe Qualcomm CVEs to read comments
| randomly laced with "orange man bad".
|
| [1] https://news.ycombinator.com/newsguidelines.html
| limomium wrote:
| Could you link me an online resource detailing that
| process? I've been wanting to put the accumulation of old
| phones to use.
| dongvsascript wrote:
| go to lineageos, click on your phone. this'll get all
| your old phines the same type of android.
|
| it's not what i do -i used a fairly weird build.
|
| the generic steps for ine way of doing it: download a
| recovery program, install it on the phone. pick the
| android rom you want from the recovery program. click
| install. it'll reboot your phone and install it. this is
| the way a gramma can do it.
|
| a prefer hooking it up to my laptop with a usb cable and
| just typing the commands in the android shell. that is
| the way gramma cannot do it.
| whynotminot wrote:
| Lol who's your gramma?
| krn wrote:
| I like Android One devices and the complete freedom of choice
| they provide me, but the likehood and the severity of CPU
| vulnerabilites seem to be much higher with Snapdragon chips.
|
| Also, the security patches arrive much slower to Android than
| to iOS devices.
|
| And I am especially concerned about ARM's TrustZone, which
| seems to be inferior to Apple's Secure Enclave.
| esperent wrote:
| This is the first exploit specific to snapdragon that I've
| ever heard of. Were there others?
| krn wrote:
| Multiple Kernel Vulnerabilities Affecting All Qualcomm
| Devices (2020)
|
| https://blog.zimperium.com/multiple-kernel-
| vulnerabilities-a...
|
| The Road to Qualcomm TrustZone Apps Fuzzing (2019)
|
| https://research.checkpoint.com/2019/the-road-to-
| qualcomm-tr...
|
| QualPwn - Exploiting Qualcomm WLAN and Modem Over The Air
| (2019)
|
| https://blade.tencent.com/en/advisories/qualpwn/
|
| QuadRooter: New Android Vulnerabilities in Over 900
| Million Devices (2016)
|
| https://blog.checkpoint.com/2016/08/07/quadrooter/
| stefan_ wrote:
| Whats special here? Apple similarly had full remote kernel
| takeovers from vulnerabilities in e.g. a Broadcom WiFi chip.
___________________________________________________________________
(page generated 2020-08-08 23:00 UTC)