Qualcomm Chips' Vulnerabilities Let Hackers Steal Sensitive Data From Samsung, LG, and Motorola Phones

Aadhya Khatri - Nov 19, 2019


Qualcomm Chips' Vulnerabilities Let Hackers Steal Sensitive Data From Samsung, LG, and Motorola Phones

Qualcomm CPUs, on which most Android smartphones run, has a vulnerability that may allow bad actors stealing users' most sensitive data

Experts have found a flaw in chips manufactured by Qualcomm that may allow attackers to steal vital information.

The report revealed that Qualcomm CPUs, on which most Android smartphones run, has a vulnerability that may result in the execution of Advanced Persistent Threats, bootloader unlocking, and device rooting.

The finding was announced at Recon Montreal, a conference on computer security that focuses on advanced techniques on exploitation and reverse engineering.

Qualcomm-trusted-zone-components
Components of a Trusted Zone

After this revelation, Qualcomm has fixed all the known vulnerabilities. LG and Samsung have also issued the patches, and Motorola is reportedly working to find a fix.

According to Qualcomm, all of the flaws have been fixed, one of them back in November 2014, and another in October this year. While the company receives no report of ongoing exploitation, it still encourages users to download updates with patches provided by OEMs. It also emphasizes that one of Qualcomm’s priorities is to offer technologies to support privacy and security.

Qualcomm-LG-samsung-motorola
LG and Samsung have also issued the patches, and Motorola is reportedly working to find a fix

A few months ago, Qualcomm also patched a flaw that let hackers stealing encryption keys and private data in the secure world of the chipset.

Qualcomm’s chips always come equipped with a TEE (stand for Trusted Execution Environment), a secure area, which makes certain data and code’s integrity and confidentiality.

Qualcomm Trusted Execution Environment is built on ARM TrustZone technology, which works to protect vital data from being compromised.

The secure world also offers extra services like truslets, another word for trusted third-party components. These trustlets serves as a bridge connecting the real world where Android occupies and the Trusted Execution Environment, enabling data transferring between these worlds.

The Trusted World is where sensitive data is stored, we are talking about storage encryption keys and credit card information. It is also the last defense standing in between your data and bad actors. If it is compromised, there is stopping hackers from laying their hands on your most precious data.

Qualcomm said that if the hackers did not have the hardware keys of the device, they could not steal what QTEE stored in its trusted world. The only possibility is that these data are exposed on purpose.

Qualcomm-trusted-world
Qualcomm once said that if the hackers did not have the hardware keys of the device, they could not steal what QTEE stored in its trusted world

However, the contrary is proven by research lasting for four months. So, in reality, the TEE can be penetrated, unlike what Qualcomm announced.

To proves so, the researchers behind the finding made use of fuzzing, a method involving autonomously feeding the machine with random data to overload it and then crash it. After that, any potential flaws and errors that might allow breaches will be exposed.

The fuzzing method, in this case, aimed at Samsung’s, LG’s, and Motorola’s implementation of trustlets, or in other words, the code in charge of confirming the trustlets’ integrity, revealing several vulnerabilities along the way.

These flaws can let hackers load the secure world with patched trusted apps, run trusted apps outside of the TEE, and many more.

These attacks targeting TEEs have shown what hackers can do to steal users’ data. However, for now, we have not had any evidence of these flaws being used in real life. However, it does not mean we should let our guard down as TEEs are so promising a target that hackers cannot afford to ignore.

Any attempt to attack the TrustZone may allow bad actors to gain access to the most sensitive data stored on a smartphone or tablet, which can have a devastating effect on users’ life.

Tags

Comments

Sort by Newest | Popular

Next Story

Read more

Apple Testing A New Toggle To Turn Off Location Tracking On iPhone 11

ICT News- Jan 21, 2020

Apple Testing A New Toggle To Turn Off Location Tracking On iPhone 11

Users will have an option to turn off the 'Ultra Wideband' feature on iPhone 11 and iPhone 11 Pro.

Xiaomi's Sub-Brand POCO Is Now An Independent Company In India

Mobile- Jan 20, 2020

Xiaomi's Sub-Brand POCO Is Now An Independent Company In India

Xiaomi's sub-brand POCO, created in 2018, is now a separate company that operates independently from Xiaomi and comes up with its own business strategy.

Fitbit Is One Step Ahead Of Apple With Blood Oxygen Monitoring Feature

Gadgets- Jan 20, 2020

Fitbit Is One Step Ahead Of Apple With Blood Oxygen Monitoring Feature

Fitbit has started rolling its blood oxygen tracking feature to its wearables including the Iconic, the Fitbit Charge 3, Versa Lite, Versa, and Versa 2.

Google Pixel 4a Live Photos Confirm Punch-Hole Display & Square Camera Module

Mobile- Jan 19, 2020

Google Pixel 4a Live Photos Confirm Punch-Hole Display & Square Camera Module

The Pixel 4a will still come with a plastic back and a single rear camera housed in a square-shaped module, just like its premium Pixel 4 siblings.

iPhone 11's Successors Might Be As Powerful As A MacBook

ICT News- Jan 20, 2020

iPhone 11's Successors Might Be As Powerful As A MacBook

A new report surfacing recently suggests that the successors of the iPhone 11 may have the performance of the MacBook, courtesy of the A14 processor

Xiaomi Mi Watch Color Hands-On: Affordable & Attractive Design

Review- Jan 21, 2020

Xiaomi Mi Watch Color Hands-On: Affordable & Attractive Design

Xiaomi Mi Watch Color price in India is around Rs. 8,000. Let's see whether this new smartwatch can be one of the best affordable smartwatches available?