Check Point Research reported finding more than 400 bugs in the code used to control the Digital Signal Processing (DSP) cores in Qualcomm's Snapdragon chip families.



According to Check Point's Slava Makkaveev, who spoke of this vulnerabilities at DEF CON [2], the flaws are linked to Qualcomm's Hexagon SDK, which is used to program the DSP engines to perform tasks:

In this research dubbed “Achilles” we performed an extensive security review of a DSP chip from one of the leading manufacturers: Qualcomm Technologies. Qualcomm provides a wide variety of chips that are embedded into devices that make up over 40% of the mobile phone market, including high-end phones from GoogleSamsungLGXiaomiOnePlus and more.



Technically [1], Qualcomm's code-signature checks can be bypassed, allowing execution of arbitrary instructions on the DSP and, from that position, gain control of the whole device:

  • Attackers can turn the phone into a perfect spying tool, without any user interaction required – The information that can be exfiltrated from the phone include photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
  • Attackers may be able to render the mobile phone constantly unresponsive – Making all the information stored on this phone permanently unavailable – including photos, videos, contact details, etc – in other words, a targeted denial-of-service attack.
  • Malware and other malicious code can completely hide their activities and become un-removable. 

We disclosed these findings with Qualcomm, who acknowledged them, notified the relevant device vendors and assigned them with the following CVE’s : CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209

References

  1. Achilles: Small chip, big peril. - CheckPoint
  2. Pwn2Own Qualcomm Compute DSP for Fun and Profit - DEFCON Live Q&A Sessions