Security Week 33: Qualcomm Mobile SoC Vulnerability

Last week there were two security conferences – Black Hat and DEF CON. Due to coronavirus restrictions, both events were made virtual this year, and DEF CON materials were completely open. Recordings presentations posted on YoutubeQ&A sessions were conducted in real time on Twitch and in conference chat on Discord. The event was named DEF CON Safe Mode.

One of the most, if not interesting, then large-scale presentations was the study of vulnerabilities in Qualcomm mobile chips used in a large number of Android devices (up to 40% of the market). The six patched vulnerabilities caused denial of service, arbitrary code execution, direct access to the camera, microphone, GPS sensors, and more. In February – March, the data on these holes was passed on to the manufacturer, who patched them in July, but it is not yet clear when the patches will get to real devices. Because of this, in announcement there are no technical details on the website, but they are in the presentation at DEF CON.

The Hexagon is essentially a separate processor within a Qualcomm SoC, responsible for communication with peripherals, from the camera to the device’s charging circuit. To work with it, the manufacturer distributes the SDK, but in fact, only the code signed by Qualcomm can work with the DSP part. Using fuzzing, the researchers found a lot of small bugs in all libraries for working with DSP, more than 400 in total. They cause a failure in the execution of the code with different consequences, and in some cases lead to either a restart or freeze of the phone, or to code execution, or open uncontrolled access to peripheral devices. Exploitation of vulnerabilities involves launching a malicious application on a device that accesses the DSP, crashes and gains extended rights.

It is still impossible to assess the real scale of the problem without details. We only know that Qualcomm developers have closed the vulnerabilities, but the patches still need to be delivered to the devices. Analysis of the latest set of security updates for Android showed that the fixes were not included in it. In addition, Check Point suggests that vendors will also have to recompile their own code to work with Hexagon in order to completely get rid of the vulnerabilities. Unsupported devices that do not receive security updates are likely to remain vulnerable.

Other interesting presentations with DEF CON and Black Hat:

– Discussion of a hypothetical attack on high power IoT devices such as washing machines and heaters. The authors offer interesting hacking scenarios. For example, turning on thousands of heaters at the same time can influence the cost of electricity. And it, in turn, indirectly affects the exchange rate of cryptocurrencies, which depends on mining (news).

– 19 vulnerabilities were found and closed in the multimedia system of Mercedes E-class cars, one of them allows you to remotely open doors and start the engine. An analysis of the device firmware also showed the possibility of an attack on the manufacturer’s control servers (news).

– Research by James Pavour on the results of “satellite fishing” – a method of intercepting satellite data. It would seem that with the spread of encrypted data transmission, such a scenario should have become a thing of the past, but no. It’s not just about legacy HTTP systems. The author managed to intercept the communications of a Chinese airline plane, login to the admin panel of a wind turbine in France, negotiations on repairing a generator on a fuel tanker in Egypt (see also article in ArsTechnica).

What else happened:

Intel is investigating the leak of 20 gigabytes of data, including source codes (article ArsTechnica, discussion on Habré). Most likely, information has leaked, which the vendor shares with partners under the NDA.

Interesting article based on user observations of the Google Home smart column. The owner of the device triggered a fire alarm, and he received a notification on the phone about it. This is generally good, but it assumes that the sound is always recorded on the smart device, and not just when the code word is spoken. Google called the incident a mistake – the feature being tested accidentally got into production.

Canon became a victim ransomware attacks.

To the network flowed away data on 900 VPN servers using Pulse Secure software. This is a consequence of a serious vulnerability discovered last year. Due to the possibility of arbitrary remote reading of data from a vulnerable server, the database contains not only domains and IP addresses, but also SSH keys and other information.

Similar Posts

Leave a Reply Cancel reply