
Over 400 vulnerabilities on Qualcomm’s Snapdragon chip - Flenser
https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/
======
AdmiralAsshat
Do any of these vulnerabilities let us unlock the bootloader?

~~~
baby
Way would you want that?

~~~
leoh
Because (a) it would let you root your device, allowing you to do what you
want with it (b) it would make these 400 vulnerabilities especially dangerous

~~~
esperent
(c) it would prevent most banking and finance apps from working.

~~~
gsich
Just use the website.

~~~
methyl
Website for NFC payments? How?

~~~
gsich
Use the card.

~~~
zeepzeep
Use an implant.

~~~
gsich
Not a fair comparison. ;)

------
sp332
While they are still withholding info about how to exploit the bugs, there is
more technical detail in their Defcon talk, "Pwn2Own Qualcomm Compute DSP for
Fun and Profit"
[https://www.youtube.com/watch?v=CrLJ29quZY8](https://www.youtube.com/watch?v=CrLJ29quZY8)

------
wyldfire
Also discussed here

[https://news.ycombinator.com/item?id=24081581](https://news.ycombinator.com/item?id=24081581)
[https://news.ycombinator.com/item?id=24092545](https://news.ycombinator.com/item?id=24092545)

------
mschuster91
Seriously I'm beyond pissed at the state of Android, patches and open-source
compliance. If we are _lucky_ 10% of current phone models will get any form of
update. The rest will be vulnerable for _years_ until the devices finally
break.

And that's only the Qualcomm stuff. There is another CPU vendor beginning with
M who is big in el-cheapo hardware - look at their Android kernel leaks,
wherever you dig you find horrid, HORRID code.

Google should mandate full open source disclosure of all GPL'd components as
part of the Play Store certification and unlockable bootloaders, otherwise
this shit is never going to change.

~~~
BiteCode_dev
Still getting updates for my one plus 6. YMMV.

~~~
Polylactic_acid
Still getting updates for my 7 year old ipad air 2. About to get ios 14 as
well. Android has warped peoples perspectives on how long a device would get
updated. On PC you can just keep installing updates until the device can't
keep up anymore.

~~~
lorenzhs
The iPad Air 2 was introduced just under six years ago. But even the original
iPad Air, which was introduced nearly seven years ago, still gets security
updates. The last update was released less than a month ago. It's stuck on iOS
12, though.

------
throwmemoney
“A single SoC (Software on Chip) may include features to enable daily mobile
usage such as image processing, computer vision, neural network-related
calculations, camera streaming, audio and voice data.“

Should be SoC (System on Chip)

------
cbsks
Here's a link to the DEF CON talk:
[https://www.youtube.com/watch?v=CrLJ29quZY8](https://www.youtube.com/watch?v=CrLJ29quZY8)

------
daneel_w
There seems to be some confusion on the authors' behalf about what a DSP is,
and what an SoC is ("software" on chip, as they call it...) I'm just
nitpicking, of course.

~~~
wmf
I think you have a point here. When they say "DSP chip" instead of "DSP core
inside the Snapdragon chip" it makes me wonder what else they got wrong. I
don't think the oversimplified language is any more approachable here.

(As it happens I read the slides and this is a legit vulnerability but you'd
never know it from the press release.)

------
supernova87a
I wonder if Apple/others knew about such vulnerabilities, and passed up on
using the chip as a risk? Or, was it just dumb luck that they avoided this?

~~~
jandrese
From Apple's perspective Qualcomm has been insufficient for a long time for
many reasons, the security issues here would only be one of the many factors
involved in the decision to do their own development.

For what it is worth, a modern chip as complex as the A* series is essentially
guaranteed to have vulnerabilities. Maybe not 400, but definitely not 0.

~~~
josh2600
This is a thing I think people constantly underestimate... Intel's cores are
not necessarily dramatically more broken than everyone else's chips, they just
pay for more auditing and public research.

~~~
yjftsjthsd-h
> they just pay for more auditing and public research.

Did Intel finance the research that turned up any of the major headline
vulnerabilities over the last few years (meltdown, spectre)?

~~~
monocasa
They did not.

~~~
Polylactic_acid
It was a Google researcher mostly.

~~~
GeekyBear
> Meltdown was independently discovered and reported by three teams:

Jann Horn (Google Project Zero), Werner Haas, Thomas Prescher (Cyberus
Technology), Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz
University of Technology)

Spectre was independently discovered and reported by two people:

Jann Horn (Google Project Zero) and Paul Kocher in collaboration with, in
alphabetical order, Daniel Genkin (University of Pennsylvania and University
of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of
Technology), and Yuval Yarom (University of Adelaide and Data61)

[https://meltdownattack.com/#faq-systems-
meltdown](https://meltdownattack.com/#faq-systems-meltdown)

------
fsflover
Time to switch to open source:

[https://en.wikipedia.org/wiki/Pinephone](https://en.wikipedia.org/wiki/Pinephone)

[https://en.wikipedia.org/wiki/Librem_5](https://en.wikipedia.org/wiki/Librem_5)

~~~
cestith
An Open Source OS can help, sure, and is a start. A DSP is a programmable
hardware device. Both phones to which you linked use variants of ARM
processors and then use third-party baseband systems. You're not getting rid
of closed-source hardware vulnerabilities by replacing Android or iOS.

~~~
evilos
Agree, we need open source hardware (like RISC-V) to mature in order to
eliminate this class of vulnerabilities. I haven't heard much on mobile class
RISC-V SOCs though.

~~~
jlokier
RISC-V is an open source ISA, which means anyone is free to implement it,
interface with it, customise it etc.

But most RISC-V devices are not open source as far as I know, as least
currently. And a mobile class SoC would still be a very complex device,
therefore with vulnerabilities (and also therefore with much less motivation
for a company to open source the whole design). You'd have a similar problem
as now.

That said, if someone wants to work with me on a RISC-V mobile class SoC (or
server/supercomputer class) do get in touch, I'd love to do it :-)

------
ithrow
I guess this makes "national security" as an argument a bad joke.

~~~
therealmarv
unless they force everyone to buy Apple phones ;)

~~~
harpratap
CheckM8? [https://arstechnica.com/information-
technology/2019/09/devel...](https://arstechnica.com/information-
technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-
exploit-is-a-game-changer/)

------
akshayB
Hardware vulnerability and issues are hard to address at times as it can be
connected to other vendor hardware or softwares. I always wonder if these
flaws are left in the design intentionally or its just a sneaky bad bugs.

------
maxdo
Is there any related data for Apple?

~~~
skrowl
They have a lot too, a new one just popped up a few days ago
[https://www.bgr.in/news/apple-products-have-a-new-
unpatchabl...](https://www.bgr.in/news/apple-products-have-a-new-unpatchable-
security-flaw-in-the-secure-enclave-chip-details-specifications-vulnerability-
jailbreak-906524/)

I'm not sure if anyone has compiled a list of how many

~~~
compscistd
> The report notes that this security flaw is present in all the devices
> running chips between A7 and A11 Bionic. Apple has already fixed the exploit
> in A12 and A13 Bionic chips so newer devices are safe.

That's four generations of Apple hardware, the latest being iPhone X and
iPhone 8/8 Plus (Sept 2017). The patch being fixed in A12 means the iPhone XR
and iPhone XS (and later) are unaffected.

------
segfaultbuserr
I wonder how would it be like to fill application forms for over 400 CVE
numbers, or reading a security advisory with the first page exclusively
occupied by CVE numbers. Well, seriously speaking, they'll probably group
these vulnerabilities and apply a big one.

~~~
wmf
Keep reading; there are 6 CVEs assigned. The 400 is different binaries that
have the same vulnerability.

------
based2
[https://www.reddit.com/r/netsec/comments/i58ex8/new_qualcomm...](https://www.reddit.com/r/netsec/comments/i58ex8/new_qualcomm_chip_vulnerability/)

------
LoveMortuus
Would having an open source chip with a rolling release be more secure? Like
as soon as the vulnerability is discovered you would push the fix and the next
generations would already be fixed. Or would such frequent changes to the chip
design be to difficult to mass produce, due to having to modify the production
process?

This is coming from a point of view that Linux is quite a success and thus
maybe the same philosophy could be used for hardware?

~~~
HPsquared
Hardware is different in that it can't be updated once it's leaves the factory
and has to be "right first time".

~~~
jaywalk
Not quite true:
[https://en.wikipedia.org/wiki/Intel_Microcode](https://en.wikipedia.org/wiki/Intel_Microcode)

------
kanox
Shouldn't proper IOMMU usage prevent this?

In theory when properly configured the DSP or GPU should be unable to touch
system RAM outside of buffers that are specifically assigned to them.

I'm not very familiar with the status of IOMMU on Android devices.

~~~
monocasa
It's dependent on the SoC whether there's IOMMUs at all and whether they're
rigged up to all the bus masters in the system. A lot don't have them as it
was seen as a virtualization feature rather than a security feature for the
longest time.

------
joemazerino
Google has pushed the patch for this back to October. I wonder what will
happen to downstream vendors (Samsung, CopperheadOS)?

~~~
ta17711771
You mean GrapheneOS.

~~~
joemazerino
I'm referring to businesses because they have SLAs or other customer
obligations. AFAICT Graphene isn't a business but is a FOSS project without
customer support requirements or obligations.

------
jamisteven
You say vulnerability, we say feature.

------
rStar
insecure by design

------
ETHisso2017
If the US government hadn't sanctioned Huawei, we could have an alternative to
these chips.

~~~
mkl
There are other alternatives, e.g. Samsung.

~~~
inetknght
Yeah because Samsung has _so_ much better history of fixing security issues...

~~~
liuyong
That's why we need all of them, instead of sanctions on either one of them.

------
walterbell
SpaceX designed custom SoCs for their isolated offshore/offworld network of
Starlink satellites, [https://spacenews.com/spacex-accused-of-poaching-
chipmakers-...](https://spacenews.com/spacex-accused-of-poaching-chipmakers-
employees/)

 _> Broadcom filed suit ... claiming SpaceX hired a number of Broadcom’s top
engineers to develop “a family of sophisticated, customized computer chips.”
The two companies had been working together on the development of advanced
computer chips for an undisclosed project, but SpaceX ultimately ended the
collaboration._

~~~
oh_sigh
What's your implication here? SpaceX perhaps saw a bunch of security vulns and
decided to DIY?

