Achilles: Small chip, big peril.

Over 400 vulnerabilities on Qualcomm’s Snapdragon chip threaten mobile phones’ usability worldwide

With over 3 billion users globally, smartphones are an integral, almost inseparable part of our day-to-day lives.

As the mobile market continues to grow, vendors race to provide new features, new capabilities and better technological innovations in their latest devices. To support this relentless drive for innovation, vendors often rely on third parties to provide the required hardware and software for phones. One of the most common third-party solutions is the Digital Signal Processor unit, commonly known as DSP chips.

In this research dubbed “Achilles” we performed an extensive security review of a DSP chip from one of the leading manufacturers: Qualcomm Technologies. Qualcomm provides a wide variety of chips that are embedded into devices that make up over 40% of the mobile phone market, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and more.

More than 400 vulnerable pieces of code were found within the DSP chip we tested, and these vulnerabilities could have the following impact on users of phones with the affected chip:

• Attackers can turn the phone into a perfect spying tool, without any user interaction required – The information that can be exfiltrated from the phone include photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
• Attackers may be able to render the mobile phone constantly unresponsive – Making all the information stored on this phone permanently unavailable – including photos, videos, contact details, etc – in other words, a targeted denial-of-service attack.
• Malware and other malicious code can completely hide their activities and become un-removable.

We disclosed these findings with Qualcomm, who acknowledged them, notified the relevant device vendors and assigned them with the following CVE’s : CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.

To learn more about the Achilles vulnerability, how it impacts your organization, and how you can defend against it, we invite you to join our webinar on August 13: AMERICA session or EMEA session.

Important note

Check Point Research decided not to publish the full technical details of these vulnerabilities until mobile vendors have a comprehensive solution to mitigate the possible risks described.

However, we decided to publish this blog to raise the awareness to these issues. We have also updated relevant government officials, and relevant mobile vendors we have collaborated with on this research to assist them in making their handsets safer. The full research details were revealed to these stakeholders.

Check Point Research is committed to making technology and products around the world safer and will cooperate with any security vendor that requests for a collaboration. In a proactive move, we have also offered organizations that could have been affected by these risks 20 free SandBlast Mobile licenses for their management mobile devices to protect and prevent any potential damage in the upcoming 3 months from the publication of this research.

What is a DSP anyway?

A DSP (Digital Signal Processor) is a system on a chip that has hardware and software designed to optimize and enable each area of use on the device itself, including:

• Charging abilities (such as “quick charge” features)
• Multimedia experiences e.g. video, HD Capture, advanced AR abilities
• Various Audio features

Simply put, a DSP is a complete computer on a single chip – and almost any modern phone includes at least one of these chips.

A single SoC (Software on Chip) may include features to enable daily mobile usage such as image processing, computer vision, neural network-related calculations, camera streaming, audio and voice data. Additionally vendors can optionally use these “mini computers” to insert their own functionality that will run as dedicated applications on top of the existing framework.

A new attack vector

While DSP chips provide a relatively economical solution that allows mobile phones to provide end users with more functionality and enable innovative features– they do come with a cost. These chips introduce new attack surface and weak points to these mobile devices. DSP chips are much more vulnerable to risks as they are being managed as “Black Boxes” since it can be very complex for anyone other than their manufacturer to review their design, functionality or code.

What did we do?

Check Point Research believes such an ecosystem may be a fertile ground for critical vulnerabilities that might have severe impact on millions of people around the world, and that fixing them requires a long chain of communication between many vendors, manufacturers and resellers. For this reason, we decided to review and perform a deep dive on the security posture of one of the most common chips available today – Qualcomm’s Snapdragon.

Due to the “Black Box” nature of the DSP chips it is very challenging for the mobile vendors to fix these issues, as they need to be first addressed by the chip manufacturer. Using our research methodologies and state-of-the-art fuzz testing technologies, we were able to overcome these issues – gaining us with a rare insight into the internals of the tested DSP chip. This allowed us to effectively review the chip’s security controls and identify its weak points.

We hope this research will help build a better and more secure environments for the DSP chip ecosystem, as well as provide the necessary knowledge and tools for the security community to preform regular security reviews for these chips in order to strengthen the security of mobile devices.

To learn more about this research watch our presentation at the DEFCON virtual conference.

We strongly recommend organizations protect their corporate data on their mobile devices by using mobile security solutions. SandBlast Mobile provides real-time threat intelligence and visibility into the mobile threats that could affect businesses, and provides complete protection against the risks detailed in this blog, associated with the Quallcomm vulnerabilities.

To learn more about the Achilles vulnerability, how it impacts your organization, and how you can defend against it, we invite you to join our webinar on August 13: AMERICA session or EMEA session.