
Snapdragon chip flaws put 1B Android phones at risk of data theft - jiripospisil
https://arstechnica.com/information-technology/2020/08/snapdragon-chip-flaws-put-1-billion-android-phones-at-risk-of-data-theft/
======
krn
I have never had an iOS device in my life, but these three paragraphs provide
probably the most convincing reason to finally make the switch:

> A billion or more Android devices are vulnerable to hacks that can turn them
> into spying tools by exploiting more than 400 vulnerabilities in Qualcomm’s
> Snapdragon chip, researchers reported this week.

> The vulnerabilities can be exploited when a target downloads a video or
> other content that’s rendered by the chip. Targets can also be attacked by
> installing malicious apps that require no permissions at all.

> From there, attackers can monitor locations and listen to nearby audio in
> real time and exfiltrate photos and videos. Exploits also make it possible
> to render the phone completely unresponsive. Infections can be hidden from
> the operating system in a way that makes disinfecting difficult.

~~~
slipheen
I like Apples devices, but aren't they just as vulnerable to CPU bugs?

There's plenty of good reasons to use an iOS device (and some good reasons to
avoid one), but I wouldn't think that CPU bug would be a particularly strong
reason on either side.

~~~
GeekyBear
Bugs can be discovered anywhere. The question is whether those bugs will be
patched.

The original iPhone SE is about to start it's sixth year of OS updates and
security patches.

Which works out to less than $70 per supported year.

That's a legitimate advantage over the Android ecosystem.

~~~
dongvsascript
and literally any 10 year old android phone can run not just the latest
security patches but even the latest android. you are taking the iphone
limitation of 'os must be from hardware manufacturer' and for some reason
applying it to android phones.

my 10 year old motorola nexus is running android 10 -which is the current
version. you install the new os on android by downloading an app, which
installs the new os on reboot. it takes 15 minutes, and gramma can do it.

next you'll tell me mac laptops are better because you can't put windows 10 on
your old hp laptop, because hp's system image for it only goes to windows 7.

~~~
ViViDboarder
Sure, installing the updates may be simple, but getting the OS installed in
the first place is not quite as simple.

Also, many Android devices don’t even have unlockable bootloaders. This makes
your first statement patently false. There is no way for me to install any
updates to my abandoned Acer tablet as the bootloader is locked and the device
is abandoned.

It may be true to say “many Android devices can be updated through community
projects” but you’re glossing over a lot of complexity.

I

~~~
post_below
I rarely root devices but I have yet to own an Android device that couldn't
(eventually) be rooted using a community tool. This is anecdotal, there must
be exceptions, but in my experience "locked bootloader" just means it might be
a while before someone finds an exploit.

Easy enough for grandma, maybe not so much.

~~~
judge2020
> Easy enough for grandma, maybe not so much.

This is pretty important when we're taking about a billion devices. The amount
of people who do this is irrelevant and thus 99% or more of these users will
be vulnerable until their phone stops working or the Facebook app no longer
supports such an old version, forcing them to get a new one [assuming new
Snapdragon chips fix the issue].

~~~
post_below
Right I never suggested otherwise, just clearing up the misconception that a
locked bootloader automatically means the phone's OS can't be updated.

------
0xcde4c3db
Ah, so it's actually pretty simple to avoid this vulnerability: all I need to
do is upgrade to an Android phone based on one of the several competitive
Snapdragon alternatives that are bound to be widely available given the
staggering size of the market.

Hold on, I'm sure I'll find one any minute now...

~~~
gruez
What about samsung exynos and mediatek?

~~~
topicseed
The new Samsung Galaxy Note 20 Ultra ships with Exynos in the UK and EU but
performance drops against the same phone running Snapdragon (shipped in the
US).

So whilst the security might be better, we're (tech geeks in EU/UK) don't want
to pay the same price for a less performant phone sadly :/

But maybe in a few iterations!

~~~
iakov
I'm wondering why do people need the "performant phone". All the Android
phones that I've had or seen in the last few years run the OS and apps with no
issues. The amount of RAM might limit the multi-tasking, but otherwise I can't
imagine a real-life use-case where I may want a "performant phone".

Can you maybe shed some light on this for me, please?

~~~
nxc18
It starts to matter a lot with things like AR, video games etc. I work on an
AR mobile product and the performance advantage for iOS is substantial.
Outside of flagships, the performance of AR on android is pretty bad, while as
far back as iPhone 8 you’re maintaining 60fps no problems. I haven’t tested
older than that but I tend to believe the oft-quoted 5 year performance lead
on the A series chips.

~~~
TwoBit
Nobody gives a crap about phone AR. And of those who play games the vast
majority play games that don't need performance.

------
awinter-py
Checkpoint's release for these vulnerabilities is here
[https://blog.checkpoint.com/2020/08/06/achilles-small-
chip-b...](https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-
peril/)

not clear from the writeup how many devices are affected. They fuzz-tested 'a
DSP chip' (sounds like just one) and then say that Qualcomm products are used
in 40% of devices.

press release focuses on exfiltrating media + GPS, not clear if this is a
rootkit that can access the keyboard or take over your email.

'more than 400 vulnerable pieces of code were found' not clear to me -- maybe
I don't know how fuzzing DSPs work? Do they have access to the source code
because the image decoder is open source?

~~~
wyldfire
The qemu linux userspace implementation for hexagon is recently available and
open source, yes. Not sure whether it would've been any harder to do fuzzing
with the closed-source simulator that's been available for a long time. But
the fuzzer doesn't need the libraries' source, it just makes it easier for the
fuzzer if it has access to the source. And the availability of emulator or
simulator code is probably independent of this too.

The 400 distinct bugs are the uniquely faulting instructions or paths
uncovered by the fuzzer.

------
afrcnc
Blog spam. Typical ArsTechnica these days.

Here's the actual report: [https://blog.checkpoint.com/2020/08/06/achilles-
small-chip-b...](https://blog.checkpoint.com/2020/08/06/achilles-small-chip-
big-peril/)

~~~
stefan_
Honestly this "report" is similarly devoid of any substantive content despite
being the original source. At some point they discuss the dictionary meaning
of DSP.

Your best bet for any details is apparently this DEF CON presentation:

[https://www.youtube.com/watch?v=CrLJ29quZY8](https://www.youtube.com/watch?v=CrLJ29quZY8)

------
swordbeta
DEF CON talk given by Check Point a few days ago:
[https://www.youtube.com/watch?v=CrLJ29quZY8](https://www.youtube.com/watch?v=CrLJ29quZY8)

------
ChuckNorris89
The article is pretty spartan in details regarding the vulnerability but as I
understand it, the DSP is the attack vector.

Wouldn't it make sense for Qualcomm to hardware/software sandbox the memory
content being processed by each part of the SoC?

Would such an attack also work on PCs with iGPUs, since they share the system
memory?

~~~
acdha
Yes - that’s what iOS devices and modern computers do. The risks of allowing
unrestricted DMA started to get publicized in the mid-2000s when FireWire was
used to attack locked Macs. IOMMUs are pretty common now but the OS still has
to enable them.

~~~
ajross
IOMMUs aren't the only way to get secure DMA, it's more common for small
devices to have a double-ended device where the other end (OS vs. DSP in this
case) needs to set up its own pointers itself. Doing it via page mapping is
very heavyweight and used for performance reasons when you need both safety
AND fast random access to large regions.

~~~
acdha
Yes - my main reaction was just that it was something of a surprise to see
Qualcomm not using any of the common countermeasures for a class of attack
which is not new and for which they’ve had problems in the past.

------
tpmx
Yikes.

Could Google theoretically remotely disable/remove apps that they identify
using the DSP in malicious ways?

~~~
jm4
If it's in the DSP it may not need to be an app that runs the exploit. Sounds
like any malicious audio or video file could do it. Could be something
delivered via a streaming site, email, audio embedded in a webpage, etc. This
sounds like it could be a very big deal.

It's great that Qualcomm has a fix, but most of the susceptible devices will
likely never get it in an update from their manufacturers. And I wonder if
there will be a performance or battery life hit like the awful performance hit
in the Intel chips. That one cost me a 30% hit on my servers and resulted in 6
figures of unplanned spending to replace that lost capacity.

~~~
tpmx
> If it's in the DSP it may not need to be an app that runs the exploit.
> Sounds like any malicious audio or video file could do it. Could be
> something delivered via a streaming site, email, audio embedded in a
> webpage, etc. This sounds like it could be a very big deal.

Seems unlikely to me. DSP data vs DSP code - I think it's in the latter that
you'll find vulnerabilities.

~~~
blihp
Second paragraph in the article: malicious media (i.e. video) can exploit it

------
1MachineElf
Half amused, I wonder if the odd recommendations we get on YouTube from time
to time are actually steganographs meant to distribute surveillance malware
that leveragea this technique.

------
giudittapasta
Uhm wasn't this already the case in augustus 2019?

------
ezekiel68
Yet another reason why the protectionist hit job on Huawei was a bad idea. My
Mate 30 Pro will not be affected by this flaw.

~~~
spoopyskelly
> My Mate 30 Pro will not be affected by this flaw

It will just keep being affected by being a bad phone.

