Qualcomm chips in 900m Android phones vulnerable to attack

News

Researchers at security firm Check Point have identified cyber vulnerabilities in 900 million Android smartphones running Qualcomm chipsets.

Check Point revealed a set of four Qualcomm bugs, called QuadRooter, at the annual hacker convention DEF CON 24 in Last Vegas.

It said hackers could gain complete control of devices and unrestricted access to personal and enterprise data via pre-installed software drivers in the Qualcomm chipsets, which control communication between chipset components.

Qualcomm-based Android devices from a wide range of leading handset brands are affected, including units from BlackBerry, HTC, LG, Motorola, OnePlus, Samsung and Sony. Even the highly-encrypted Blackphone, by Swiss digital security firm Silent Circle and dubbed “private by design”, is vulnerable, said Check Point.

The bugs can only be fixed by installing a patch from the retailer or operator. Qualcomm is yet to issue fixed driver packs to them, to enable them to issue patches in turn.

“This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data,” commented Check Point.

There is no indication yet that any attacks have been carried on Android phones out via the QuadRooter flaw.

[Read more: Telefónica's ElevenPaths boosts enterprise security with Check Point partnership]

Qualcomm responded: "Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies, Inc. (QTI).

"We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July. The patches were also posted on CodeAurora. QTI continues to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities."

Last week, it announced Samsung’s latest high-end device, the Galaxy Note7, will be powered by its Snapdragon 820 processor.

There is no indication it is vulnerable to the QuadRooter flaw.