Qualcomm Chips' Vulnerabilities Let Hackers Steal Sensitive Data From Samsung, LG, and Motorola Phones

Aadhya Khatri - Nov 19, 2019


Qualcomm Chips' Vulnerabilities Let Hackers Steal Sensitive Data From Samsung, LG, and Motorola Phones

Qualcomm CPUs, on which most Android smartphones run, has a vulnerability that may allow bad actors stealing users' most sensitive data

Experts have found a flaw in chips manufactured by Qualcomm that may allow attackers to steal vital information.

The report revealed that Qualcomm CPUs, on which most Android smartphones run, has a vulnerability that may result in the execution of Advanced Persistent Threats, bootloader unlocking, and device rooting.

The finding was announced at Recon Montreal, a conference on computer security that focuses on advanced techniques on exploitation and reverse engineering.

Qualcomm-trusted-zone-components
Components of a Trusted Zone

After this revelation, Qualcomm has fixed all the known vulnerabilities. LG and Samsung have also issued the patches, and Motorola is reportedly working to find a fix.

According to Qualcomm, all of the flaws have been fixed, one of them back in November 2014, and another in October this year. While the company receives no report of ongoing exploitation, it still encourages users to download updates with patches provided by OEMs. It also emphasizes that one of Qualcomm’s priorities is to offer technologies to support privacy and security.

Qualcomm-LG-samsung-motorola
LG and Samsung have also issued the patches, and Motorola is reportedly working to find a fix

A few months ago, Qualcomm also patched a flaw that let hackers stealing encryption keys and private data in the secure world of the chipset.

Qualcomm’s chips always come equipped with a TEE (stand for Trusted Execution Environment), a secure area, which makes certain data and code’s integrity and confidentiality.

Qualcomm Trusted Execution Environment is built on ARM TrustZone technology, which works to protect vital data from being compromised.

The secure world also offers extra services like truslets, another word for trusted third-party components. These trustlets serves as a bridge connecting the real world where Android occupies and the Trusted Execution Environment, enabling data transferring between these worlds.

The Trusted World is where sensitive data is stored, we are talking about storage encryption keys and credit card information. It is also the last defense standing in between your data and bad actors. If it is compromised, there is stopping hackers from laying their hands on your most precious data.

Qualcomm said that if the hackers did not have the hardware keys of the device, they could not steal what QTEE stored in its trusted world. The only possibility is that these data are exposed on purpose.

Qualcomm-trusted-world
Qualcomm once said that if the hackers did not have the hardware keys of the device, they could not steal what QTEE stored in its trusted world

However, the contrary is proven by research lasting for four months. So, in reality, the TEE can be penetrated, unlike what Qualcomm announced.

To proves so, the researchers behind the finding made use of fuzzing, a method involving autonomously feeding the machine with random data to overload it and then crash it. After that, any potential flaws and errors that might allow breaches will be exposed.

The fuzzing method, in this case, aimed at Samsung’s, LG’s, and Motorola’s implementation of trustlets, or in other words, the code in charge of confirming the trustlets’ integrity, revealing several vulnerabilities along the way.

These flaws can let hackers load the secure world with patched trusted apps, run trusted apps outside of the TEE, and many more.

These attacks targeting TEEs have shown what hackers can do to steal users’ data. However, for now, we have not had any evidence of these flaws being used in real life. However, it does not mean we should let our guard down as TEEs are so promising a target that hackers cannot afford to ignore.

Any attempt to attack the TrustZone may allow bad actors to gain access to the most sensitive data stored on a smartphone or tablet, which can have a devastating effect on users’ life.

Tags

Comments

Sort by Newest | Popular

Next Story

Read more

Motorola One Hyper With 32MP Pop-Up Camera & 45W HyperCharge Launched

Mobile- Dec 06, 2019

Motorola One Hyper With 32MP Pop-Up Camera & 45W HyperCharge Launched

Motorola One Hyper arrives with a Snapdragon 675 SoC, 32MP pop-up selfie camera, 4,000 mAh battery that supports the 45W HyperCharge solution.

Mini Electric Motorcycle Made Using Recycled Materials Is Coming To India

Features- Dec 04, 2019

Mini Electric Motorcycle Made Using Recycled Materials Is Coming To India

NKD electric motorbikes, with an entry-level price point, can potentially replace those inefficient electric two-wheelers.

Amazon Announces Its Quantum Computing Platform As Its First Step Into The Quantum Computing World

ICT News- Dec 03, 2019

Amazon Announces Its Quantum Computing Platform As Its First Step Into The Quantum Computing World

With Braket, researchers will be able to build quantum computing algorithms, as well as test and run them on quantum devices as well as their simulations.

Sony To Launch New Xperia Compact With 5.5-Inch 20:9 Display & Snapdragon 665

Mobile- Dec 04, 2019

Sony To Launch New Xperia Compact With 5.5-Inch 20:9 Display & Snapdragon 665

After a long period of staying silent, Sony is tipped to revive its Xperia Compact, though it will carry mid-range hardware specs only.

India Received The Fifth Most Spam Calls In The World In 2019, 23% More Than Last Year

Features- Dec 04, 2019

India Received The Fifth Most Spam Calls In The World In 2019, 23% More Than Last Year

In India, the subscriber base has increased from 1 million to over 1 billion within 20 years with over 80% of spam calls from telemarketers and telecos.

Man Uses Mashed Potatoes To Carve A Tesla’s Cybertruck

Features- Dec 05, 2019

Man Uses Mashed Potatoes To Carve A Tesla’s Cybertruck

This Twitter user, uploaded a video of his brother using mashed potatoes to carve a Tesla’s Cybertruck. Soon after, the video went viral on the Internet.