Qualcomm Chips' Vulnerabilities Let Hackers Steal Sensitive Data From Samsung, LG, and Motorola Phones

Aadhya Khatri - Nov 19, 2019


Qualcomm Chips' Vulnerabilities Let Hackers Steal Sensitive Data From Samsung, LG, and Motorola Phones

Qualcomm CPUs, on which most Android smartphones run, has a vulnerability that may allow bad actors stealing users' most sensitive data

Experts have found a flaw in chips manufactured by Qualcomm that may allow attackers to steal vital information.

The report revealed that Qualcomm CPUs, on which most Android smartphones run, has a vulnerability that may result in the execution of Advanced Persistent Threats, bootloader unlocking, and device rooting.

The finding was announced at Recon Montreal, a conference on computer security that focuses on advanced techniques on exploitation and reverse engineering.

Qualcomm-trusted-zone-components
Components of a Trusted Zone

After this revelation, Qualcomm has fixed all the known vulnerabilities. LG and Samsung have also issued the patches, and Motorola is reportedly working to find a fix.

According to Qualcomm, all of the flaws have been fixed, one of them back in November 2014, and another in October this year. While the company receives no report of ongoing exploitation, it still encourages users to download updates with patches provided by OEMs. It also emphasizes that one of Qualcomm’s priorities is to offer technologies to support privacy and security.

Qualcomm-LG-samsung-motorola
LG and Samsung have also issued the patches, and Motorola is reportedly working to find a fix

A few months ago, Qualcomm also patched a flaw that let hackers stealing encryption keys and private data in the secure world of the chipset.

Qualcomm’s chips always come equipped with a TEE (stand for Trusted Execution Environment), a secure area, which makes certain data and code’s integrity and confidentiality.

Qualcomm Trusted Execution Environment is built on ARM TrustZone technology, which works to protect vital data from being compromised.

The secure world also offers extra services like truslets, another word for trusted third-party components. These trustlets serves as a bridge connecting the real world where Android occupies and the Trusted Execution Environment, enabling data transferring between these worlds.

The Trusted World is where sensitive data is stored, we are talking about storage encryption keys and credit card information. It is also the last defense standing in between your data and bad actors. If it is compromised, there is stopping hackers from laying their hands on your most precious data.

Qualcomm said that if the hackers did not have the hardware keys of the device, they could not steal what QTEE stored in its trusted world. The only possibility is that these data are exposed on purpose.

Qualcomm-trusted-world
Qualcomm once said that if the hackers did not have the hardware keys of the device, they could not steal what QTEE stored in its trusted world

However, the contrary is proven by research lasting for four months. So, in reality, the TEE can be penetrated, unlike what Qualcomm announced.

To proves so, the researchers behind the finding made use of fuzzing, a method involving autonomously feeding the machine with random data to overload it and then crash it. After that, any potential flaws and errors that might allow breaches will be exposed.

The fuzzing method, in this case, aimed at Samsung’s, LG’s, and Motorola’s implementation of trustlets, or in other words, the code in charge of confirming the trustlets’ integrity, revealing several vulnerabilities along the way.

These flaws can let hackers load the secure world with patched trusted apps, run trusted apps outside of the TEE, and many more.

These attacks targeting TEEs have shown what hackers can do to steal users’ data. However, for now, we have not had any evidence of these flaws being used in real life. However, it does not mean we should let our guard down as TEEs are so promising a target that hackers cannot afford to ignore.

Any attempt to attack the TrustZone may allow bad actors to gain access to the most sensitive data stored on a smartphone or tablet, which can have a devastating effect on users’ life.

Tags

Comments

Sort by Newest | Popular

Next Story

Read more

Xiaomi Mi Notebook Launch Date In India - All We Know So Far

ICT News- Jun 05, 2020

Xiaomi Mi Notebook Launch Date In India - All We Know So Far

The Mi Notebook lineup will hit the Indian market on June 11st, and let’s see which have made it receive tons of favorable reviews all over the world. 

Realme 5 Pro Vs Realme XT: Which One Should You Buy?

Review- Jun 05, 2020

Realme 5 Pro Vs Realme XT: Which One Should You Buy?

Realme 5 Pro Vs Realme XT: Here is our comparison to help you make a decision between these two handsets

Kerala To Track The One Behind The Pregnant Elephant’s Tragic Death

Features- Jun 05, 2020

Kerala To Track The One Behind The Pregnant Elephant’s Tragic Death

After the tragic death of a pregnant elephant, the Kerala Forest Department has launched a manhunt for the mastermind behind this horrendous event.

How To Change Honor Band 5 Watch Face

Gadgets- Jun 05, 2020

How To Change Honor Band 5 Watch Face

If you’ve already owned an Honor Band 5, it’s very easy to change your current watch face based on your needs.

Android 11 Features: Best New Features From Android 11 Beta

ICT News- Jun 06, 2020

Android 11 Features: Best New Features From Android 11 Beta

Google has postponed its Android 11 Beta Show due to the current situation. But it released the beta earlier than expected and here are Android 11 features.

Top 15 Pocket Games For Indian Gamer, No Download Required!

Mobile- Jun 04, 2020

Top 15 Pocket Games For Indian Gamer, No Download Required!

These games are totally free and most of them also can be really fun to play with.