According to Check Point, vulnerabilities include allowing an attacker to completely take over the OS on a mobile phone by merely having the DSP process data. That sounds very similar to the StageFright vulnerability, where remote attackers could gain “root” access on a phone simply by sending an MMS to a victim and have the operating system process the video. The difference this time is that the vulnerability is in the chip doing the processing, and not in the Android operating system.

This type of vulnerability is not new, but it is the first time a vulnerability has been made public for a DSP on a mobile platform. To explain why this matters, we need to know a bit about how modern mobile phones are constructed. To save cost and battery power, there has been a trend of moving more functionality from many individual physical chips and operating system software to large specialized chips that run even when the main operating system is sleeping. These large chips are usually called an SoC, a “System-on-a-Chip”.

An example of an SoC would be the Qualcomm SnapDragon, which is likely what the Check Point Research team has analyzed. The SnapDragon SoC has functionality for communication (3G, 4G, WiFi, Bluetooth, NFC etc.), for location (GPS), for displaying graphics, taking photos and video, quickly decoding 4K video and images for display, artificial intelligence and much more. Among this list is a digital signal processor (DSP), which quickly can transform data - e.g. to display a video file on a display in a very efficient manner - and this is where Check Point found the vulnerability.

That the SoC now has so much functionality makes it a possible target for attackers, where the target is not the operating system but the microcode and firmware which runs in the “background” on the chips themselves. This microcode and firmware is usually put on the chip before the chip leaves the factory, and it might not always be possible to update. And, to make the problem worse, this is a type of program code that usually has full access to the entire system.

If we take a look at an overview of one of Qualcomm’s mobile platforms, there are actually a lot of features which might have similar security issues, all of which has a potential to be exploited either remotely with no user interaction, or by the user visiting a web page:

• Graphical processors have had similar issues in the past, e.g. this NVIDIA problem, where, in theory, visiting a fancy shadertoy would infect your computer through a vulnerability in the graphical processor itself.
• The 4G and 3G modems implement a relatively obscure and complicated specification, and they likely have similar issues, where a fake base station can be used to exploit vulnerabilities in the modem. (This is an excellent example of how many 4G modules can be hacked)
• GPS and location services are also not untouchable: There have been hints that there are severe vulnerabilities in location services that can be used to execute code based on faking location data received through GPS.
• WiFi and Bluetooth have had issues as well, as I’ve discussed before.
• NFC, which is used for “touch” payments, has its own set of issues; the assumption that users touch the NFC tag on purpose might not always be true. NFC can be used to open a web page by touching the phone to an “NFC tag”, which can be made relatively cheaply. Put some of these tags under the tables at your local fast food place, and you can have phones visiting your URL every day. There have even been vulnerabilities where users could be tricked into installing unverified apps through an NFC touch.
• Even charging is not safe. Just a few weeks ago Tencent revealed a major quick-charge vulnerability - in the worst-case scenario the firmware controlling charging can be modified, making your phone burst into flame when fast charging.

Sufficiently to say, there is a long list of similar security issues. An underlying problem appears to be the reason for this; when writing the firmware or microcode running on these platforms security has traditionally not been taken too seriously. With operating systems, there has been a long struggle to keep normal users from getting superuser access. At the same time, the assumption with SoCs seems to have been that “oh, since you look like a Bluetooth device I’m sure you follow the Bluetooth guidelines, so then you must be safe”.

If there is one ray of hope, it is that this type of attacks is not trivial to research, which makes it usually the domain of government agencies with near-unlimited resources. But, once the vulnerabilities get known, that cost can quickly go down. This is why we at Okay simply assume that if your phone is not already compromised with malware, it will be – maybe not today, but certainly in the near future.