back to article What happens when holes perfect for spyware are found in the engine room of millions of Qualcomm-based phones? Let's find out

In July, the makers of millions of smartphones powered by Qualcomm's Snapdragon system-on-chips received mitigation recommendations to address a bevy of security flaws in their products, all introduced by Qualcomm's technology. Those software-level vulnerabilities, which apparently affect potentially more than 40 per cent of …

  1. Anonymous Coward
    Big Brother

    A correction

    "What happens" should read "What has happened."

    We may never know how many backdoors the NSA and friends have already installed.

    1. logicalextreme

      Re: A correction

      Well, they're an organisation like any other; they probably wouldn't be able to tell you the number themselves.

      1. sev.monster Silver badge
        Paris Hilton

        Re: A correction

        A disorganization?

  2. Just A Quick Comment
    FAIL

    Why do us customers bother?

    More bloody security issues - don't people have procedures in place to catch this sort of thing?

    Plus, considering the piecemeal Android updates (often, none at all) these vulnerabilities will last the life of the product. It's like footballers in an Aberdeen bar all over again...!

    1. Snake Silver badge

      Re: Why do us customers bother?

      Remember a while ago (last month...) when, after Intel posted yet more security updates, it was claimed that ARM "is more secure and never have these problems"...

      Yeah -_-

      There will ALWAYS be insecurity. Why? The inherent complexities of the designs plus human frailty. We simple can't foresee every mode of operation on the complex computational devices that we can currently design; our automated tools to ferret out bugs are only as good as the very people who make them, who's common mindset are shared with the designers of the very products tested.

      1. Stuart Castle Silver badge

        Re: Why do us customers bother?

        Re :"Remember a while ago (last month...) when, after Intel posted yet more security updates, it was claimed that ARM "is more secure and never have these problems"..."

        While I don't doubt at all the ARM processors have vulnerabilities, this story is about vulns in Qualcomm tech. No evidence they are in the core ARM designs.

        That said, I have learned over the years to assume ANY computing device is hackable, but by patching known vulns, and using decent security elsewhere (including security software and securing things like passwords), you can reduce the chances your device(s) will be hacked massively.

        On a final note, regarding security, my old Software Engineering Management lecturer liked to use the following phrase to describe the issue: "Features, Ease of Use, Security: Pick two"/

      2. John Brown (no body) Silver badge

        Re: Why do us customers bother?

        "Remember a while ago (last month...) when, after Intel posted yet more security updates, it was claimed that ARM "is more secure and never have these problems"..."

        When did ARM become responsible for Qualcom Snapdragon chippery?

        1. doublelayer Silver badge

          Re: Why do us customers bother?

          It didn't, but nor is the AMD64 architecture responsible for Intel's many failings. It's not the architecture, but the design. I believe the original post here is responding to comments of the type praising the benefits of ARM when Intel security vulnerabilities are discovered. Those comments, while technically correct in the sense that ARM is not the same as Intel, are making two large mistakes. First, they make an apples-to-oranges comparison between Intel's design and ARM's architecture. Second, they ignore the possibility that an ARM manufacturer might do a similar thing. I interpreted the original post as pointing out these errors and cautioning the writers of such comments that nothing is foolproof.

      3. Duncan Macdonald

        Re: Why do us customers bother?

        ARM CPUs seem to be more secure than Intel (admittedly not a difficult target). The DSP is an additional device in the SoC - and even there the problem does not seem to be in the hardware but in the poorly coded Qualcomm driver. Even a perfectly secure bit of hardware can be compromised by a faulty driver.

        One thing that all too few companies realise is that it takes a different skill set to write low level software (OS and drivers) than to write application level code. Bugs in applications are far more easily patched and normally only affect the user of the application whereas OS and driver bugs affect every user of the device and are more difficult to patch. Because competent low level programmers are scarce and cost more than an Indian sweatshop programmer many companies do not use them resulting in problems like this.

        (For a good example of the difference between good OS code and typical applications - look at the RSX-11 source code (available on the web) and the source of an application like GIMP.)

      4. SuperGeek

        Re: Why do us customers bother?

        Exactly. The more complex the system, the more points of failure that are introduced :(

    2. chuckufarley Silver badge

      Re: Why do us customers bother?

      Perhaps it is because we, as a collective species, have all the intellectual prowess of a box of rocks. Most people are actually smart and some are even brilliant. However as a group we have...issues.

      1. Mark192

        Re: Why do us customers bother?

        Chuckufarley said"

        "Most people are actually smart"

        This is not true :-/

        1. Anonymous Coward
          Anonymous Coward

          Re: Why do us customers bother?

          But it does make us feel better to think so.

          And I think it's one of the basic tenets of humanism.

        2. chuckufarley Silver badge

          Re: Why do us customers bother?

          RE: "This is not true :-/"

          https://xkcd.com/610/

        3. Anonymous Coward
          Anonymous Coward

          This is not true :-/

          You beat me to it, by 2 days, lol

      2. Anonymous Coward
        Boffin

        Re: Why do us customers bother?

        In the immortal words of George Carlin:

        “Think of how stupid the average person is, and realize half of them are stupider than that.”

        1. J. Cook Silver badge
          Black Helicopters

          Re: Why do us customers bother?

          And Agent Kay's comment in Men in Black:

          "A person is smart. People are dumb, panicky dangerous animals and you know it."

    3. John Brown (no body) Silver badge

      Re: Why do us customers bother?

      "these vulnerabilities will last the life of the product."

      So, that would be an inherent manufacturing defect which the manufacturer or retailer is directly responsible for under the terms of the guarantee, yes? After all, if software/firmware is designed and "built" by engineers, then it's an "engineering" issue.

  3. Anonymous Coward
    Anonymous Coward

    "We have no evidence it is currently being exploited."

    Because obviously the first thing anyone exploting it does, is send a registered letter to Qualcomms headquarters informing them that they're using their dodgy DSP to install rootkits.

    1. chuckufarley Silver badge

      Because obviously...

      ...I needed the Internet to tell me how I was doing it wrong. Again. OK, so no more legal expenses to get notarized documents. That must be how the Ransomware Gangs cut costs so effectively.

    2. Anonymous Coward
      Anonymous Coward

      They have no evidence because they aren't looking for it. 4d thinking that.

  4. chuckufarley Silver badge

    We don't need...

    ...No stinking patches!

    We need long term support for the affected devices before someone will even be bothered to think about writing the stinking patches!

    1. DS999 Silver badge

      Re: We don't need...

      You'd be better off with no patches. If these guys are the only ones who have found these holes, or at least the only non state level actor who has, producing patches will only make it easy for bad guys the world over to find the holes by looking at what was fixed.

      Since most vulnerable phones will never see patches because the OEM stopped caring as soon as they replaced it with a newer model, that's a big problem since these are apparently worse than a root hole - the DSP exploits give you control over the whole device, including the baseband. This is the sort of hole that lets you turn it into a spy device that silently listens and relays a conversation, with no visible indication.

      1. Anonymous Coward
        Stop

        Re: We don't need...

        You'd be better off with no patches. If these guys are the only ones who have found these holes, or at least the only non state level actor who has, producing patches will only make it easy for bad guys the world over to find the holes by looking at what was fixed.

        This is security through obscurity. You don't know who else have found the bugs. Or will do, now they know where to look for them.

        You are also writing off "state actors" as if they are somehow harmless or inevitable. These can certainly to get access to some people's phones with some effort, but they don't actually have infinite resources or a magic wand, so there is a massive benefit in making it as hard as possible for them.

        1. DS999 Silver badge

          Re: We don't need...

          State actors aren't harmless but they are inevitable. There's no way to fix enough bugs that they can't find any.

          1. vtcodger Silver badge

            Re: We don't need...

            State actors aren't harmless but they are inevitable. There's no way to fix enough bugs that they can't find any.

            Aside from which, state actors doubtless have considerable access to the world wide digital infrastructure, and I suspect its hardware and software are probably just as bug-ridden as the endpoint software and hardware we are familiar with. Bottom line. Today, and for the foreseeable future, you can be connected or you can be secure.-- pick (at most) one.

          2. Anonymous Coward
            Happy

            Re: We don't need...

            State actors aren't harmless but they are inevitable. There's no way to fix enough bugs that they can't find any.

            I am not sure that is true - there is a finite number of exploitable bugs and the attack surface can be minimized by limiting the number of apps installed. Not all security bugs are exploitable. I doubt each agency has a hundred billion waiting unused exploits waiting to be used, because if that was so there wouldn't be a market in these sort of exploits.

            And each exploit costs them time and money and - because bugs get fixed - have a finite life. If you stop patching bugs then their hacks would never stop working and they never have to look for new ones.

            1. DS999 Silver badge

              Re: We don't need...

              If you stop patching bugs then their hacks would never stop working and they never have to look for new ones

              That's already the situation for Android for all intents and purposes, since they can get into any phone more than a year or two old that is no longer receiving patches.

              My comment about being "better off not patching" was sort of tongue in cheek, but it will be very bad for owners of older/cheaper devices that won't ever see the patches when they come out because of the severity of this class of exploits. Full control of the device, with no user interaction required - they just have to happen to visit a web site with a malicious video. Which can be almost ANY web site, since it could be encoded into a video ad.

            2. stiine Silver badge

              Re: We don't need...

              Oh, you naive child, Smooth Newt.

              1. Anonymous Coward
                Happy

                Re: We don't need...

                Oh, you naive child, Smooth Newt.

                The difficult problem is not that it would be possible to eliminate all exploitable security weaknesses in some large piece code, which is clearly just a matter of resources and priorities, but to know when the job is done - i.e. that they have actually been eliminated to the exclusion of the NSA and its competitors.

                Perhaps quantum cryptography will eventually provide a solution of sorts, in a scenario ex-filtrating data will inevitably modify it in a detectable manner.

  5. heyrick Silver badge

    and make appropriate mitigations available to OEMs

    And exactly how much of that is going to end up on actual people's actual devices?

    1. bombastic bob Silver badge
      Meh

      Re: and make appropriate mitigations available to OEMs

      "And exactly how much of that is going to end up on actual people's actual devices?"

      it would depend on a LOT of "if's I think.

      a) IF your phone maker is good at servicing and updating EXISTING customers with otherwise "legacy" devices,

      b) IF your phone service provider provided the phone as well, and put their OWN stuff on it [and preclude the manufacturer updates from accidentally messing with it], THEY also have software updates available for "legacy" devices.

      c) IF the phone's effective 'end of life' has not been reached [regardless of whether or not it still works]

      and so on. 'IF'fy for sure.

      I have this older (cheap) slab I use for 'droid development and portable e-mail access, things like that. I don't think it has a snapdragon processor on it, though. But I haven't seen any updates for that one for YEARS. Still works for what I want.

      1. Anonymous Coward
        Anonymous Coward

        Re: and make appropriate mitigations available to OEMs

        Giff-Gaff started having ads pushing the benefits of second-hand mobes just when Which(?) brought out a report that millions of old phones are vulnerable to unpatched security holes...

        Music Magpie must have had wind of this report and recently started pushing their recycled phones!

  6. _LC_
    Holmes

    When looking for a new SmartPhone ...

    When looking for a new SmartPhone or Tablet, the first thing I do is tick everything BUT Snapdragon under CHIPSET:

    https://www.gsmarena.com/search.php3?

    Qualcomm has long been known for being a nightmare of bugs/backdoors that always lead to full root exploit. Anybody controlling the network (you can buy a “network simulator” for < $200 these days) can drop in via the “bugs” in their driver BLOBs.

    As Exynos is dead (with Samsung switching over to Qualcomm), this only leaves Helio (MediaTek) and Kirin (Huawei). Oddly, you also get a better product for your money this way. ;-)

    1. katrinab Silver badge
      Gimp

      Re: When looking for a new SmartPhone ...

      And Apple's A-Series of chips ...

      1. Charlie Clark Silver badge
        Stop

        Re: When looking for a new SmartPhone ...

        Why do you assume that Apple can program DSPs better than Qualcomm? Just because it keeps the silcion pretty well locked down by the OS, doesn't mean the microcode isn't buggy. Or have IOS exploits all dried up?

        1. Anonymous Coward
          Anonymous Coward

          Re: When looking for a new SmartPhone ...

          No one is assuming anything. They’re just pointing out another option.

          1. _LC_

            Re: When looking for a new SmartPhone ...

            Not really, as they are not running Android. This would be another infrastructure. Where on Android you get most stuff free, you will find that Apple makes you pay. Where on Android the restrictions are annoying and often enough counterproductive - with Apple you get the whole corset, thumb screws included.

            Also, Apple's “security” is more of a religious thing. Check out the last BlackHat conventions. They mostly had a laugh at Apple.

            Advertisement != truth

            Apple computers and phones have never been secure by any means, despite all the efforts to make them appear(!) that way. ;-)

    2. big_D

      Re: When looking for a new SmartPhone ...

      And Kirin supplies will dry up next month as the US sanctions hit its supply chain.

      I'm glad I have an Exynos powered smartphone, and my previous 2 were Kirin powered.

      Not sure what I'll be using going forward.

      1. _LC_
        Thumb Up

        Re: When looking for a new SmartPhone ...

        I wouldn't worry too much. Huawei is already selling SmartPhones with MediaTek chipsets. The percentage of those has been rapidly increasing.

        On the downside, the processors are slightly less performant. This is hardly an issue to most people, though, considering that they are more than fast enough for everyday's work.

        On the upside, Huawei's MediaTek phones offer more for the money. Whereas Huawei has been restricting 4k video to its high-end line and cutting away the SD-slots, MediaTek offers it all. ;-)

        Their new Chip is called "Dimensity 1000+" and it doesn't have to hide:

        https://www.notebookcheck.net/Snapdragon-865-vs-Dimensity-1000-Qualcomm-s-chip-heads-AnTuTu-s-Android-SoC-performance-chart-but-MediaTek-shows-it-can-compete-with-the-best.484475.0.html

        "Snapdragon 865 vs Dimensity 1000+: Qualcomm's chip heads AnTuTu's Android SoC performance chart but MediaTek shows it can compete with the best"

        ---

        https://www.notebookcheck.net/MediaTek-s-latest-Dimensity-1000-chip-nets-a-score-of-530-000-on-AnTuTu.465344.0.html

        "MediaTek's latest Dimensity 1000+ chip nets a score of 530,000 on AnTuTu"

        ---

        … and it's packed with everything you can think of – which is very typical for MediaTek:

        https://www.mediatek.com/products/smartphones/dimensity-1000-series

        .

        That said, I'm confident that chip-production will be picked up by a (homeland) Chinese company, eventually. They are making huge steps ahead and, as seen with Huawei, they may surpass their counterparts in little time...

  7. Anonymous Coward
    Anonymous Coward

    urged mobile device users to apply software updates when available

    well, for many me it's not when and not if, and not at all, as I happen to use "obsolete" 3yr old phone. But that's allright, because I don't use trusted sources such as google play to install every must-have app that spies on me. But then, if you're in dire need and MUST have those apps, well, I suppose you have to buy a new handset. Every two years or so. Life's so hard in 21st century.

    1. SGJ

      Re: urged mobile device users to apply software updates when available

      I'm still using a six year old iPhone 5s and it last received a security update, ios 12.4.8, in the last week. Something to bear in mind if, like me, you don't want to replace your phone every 12 to 18 months...

    2. RichardEM

      Re: urged mobile device users to apply software updates when available

      The problem with just applying updates is that many of them can be as bad as the non updated OS. What we need is some sort of third party clearing house to evaluate and certify the updates. Also ALL phone manufactures should be required to maintain security updates for at least 5 years and they should be fined the original retail value of the phone or replace for free that unsecure phone with the current, for retail sale not an older model, phone at no charge.

      I doubt that either of these proposals will happen because it will cost the manufacturers too much money.

      I realize that completely perfect devices of the complexity of smartphones is impossible but we need to give the manufacturers and the mobile services incentives to get it as close as possible.

      1. Strahd Ivarius Silver badge
        Trollface

        Re: urged mobile device users to apply software updates when available

        All updates are already certified by a 3-letters agency to ensure that they don't break the mandatory backdoors...

  8. RM Myers
    FAIL

    Technical details ... to give ... time to implement ... fixes, which will take time.

    which will take infinite time for older* phones. FTFY

    * where older could be as little as 1 year..

  9. TheInstigator

    Those pesky Chinese/Iranian/Russians!

    Once again we see the dastardly work of all those foreigners at play here - we need to immediately introduce enforced repatriations of all people who are not ethnically from the country in which they reside - or to put them into camps where they can be monitored to ensure they are good citizens.

    The above policy should only apply to 5/13 eye countries of course - all people who are from 5/13 eye countries living in countries where they are not ethnically from are - of course - completely reliable and trustworthy.

  10. Anonymous Coward
    Anonymous Coward

    New Fash.

    Operating upgrade have started coming down. Knowing android response to a critical situation (mañana) I'd love to hear the conversion between Def Con and Android/Qualcomm it may be something like this:-

    We will withhold this information for 72 hours after witch you can take a match to you empire and watch it burn.

    LoL.

  11. DenTheMan

    The cleaner did it.

    Well, he was a China man.

    CHHHHIIIIINNNNAAAAAAMMMMMAAAANN (No prize for guessing who I am imitating)

    1. Anonymous Coward
      Anonymous Coward

      Re: The cleaner did it.

      I sincerely have the suspicion that one bag of meat has 3 accounts on this forum which downvotes posts like these.

  12. ecofeco Silver badge

    Ouch!

    FFS.

  13. NonSSL-Login

    If only...

    Would love to get a Huawei P40 pro which doesn't use the American Qualcomm chip but Trump has buggered up how useful it would due to his attacks on Huawei over security depriving their phones of the play store.

    Maybe its a ploy to make us all buy Qualcomm backdoored...erm....vulnerable chipset phones that the NSA and co can have full control of, because this whole political thing is nothing about security.

    1. _LC_

      Re: If only...

      You can install the Playstore. There are instructions on how to do that out there. Huawei is not allowed to ship them with the Playstore installed. That's all.

  14. eldakka
    Paris Hilton

    Collectively, Check Point is calling its Qualcomm probe Achilles, 'cause that's a bit more memorable than a fistful of CVEs.

    That mean's it's time to send Paris in, the slayer of Achillies!

    1. Korev Silver badge
      Coat

      >That mean's it's time to send Paris in, the slayer of Achillies!

      I was hoping she heal it...

  15. big_D
    Coat

    Makes me glad...

    my last 3 smartphones didn't/don't have Qualcomm processors...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like