Qualcomm Firmware Vulnerabilities Expose 900 Million Devices, Including Security-Focused Smartphones (Updated)

Security firm Check Point Software Technologies unveiled the second major set of Android vulnerabilities after “Stagefright” to affect the majority of Android devices.

The company uncovered a set of four vulnerabilities, called “QuadRooter,” which impacts all devices that are powered by Qualcomm chipsets. According to Check Point, any one of the four vulnerabilities allows an attacker to escalate privileges on Android devices and gain root access.

Check Point named some of the more popular devices affected by these vulnerabilities, including some devices that are more “security-focused:”

BlackBerry PrivBlackphone 1 and Blackphone 2Google Nexus 5X, Nexus 6 and Nexus 6PHTC One, HTC M9 and HTC 10LG G4, LG G5, and LG V10New Moto X by MotorolaOnePlus One, OnePlus 2 and OnePlus 3Samsung Galaxy S7 and Samsung S7 EdgeSony Xperia Z Ultra

The security firm said that a malicious app could take advantage of these vulnerabilities without any special permissions being required. This means users wouldn’t suspect a thing when installing one of these malicious apps, as they would just consider them to be normal apps.

The vulnerabilities that are being exploited by these apps are inside of Qualcomm’s chipset firmware, so any device using Qualcomm chips is exposed to attacks. Qualcomm’s baseband firmware as well as the baseband firmware of other modem makers has long been considered a potential attack vector, even for security-focused devices such as the Blackphone, BlackBerry Priv, and even Google’s own Nexus smartphones. The baseband firmware has access to parts of the Android operating system that other components wouldn’t normally have, which means any vulnerability in the baseband firmware could give an attacker full control over the OS.

Check Point researchers remind us that Android’s biggest security flaw is in the way the operating system is patched. When a vulnerability is found, it has to go through the entire supply chain before it reaches users. The update has to first be delivered by Qualcomm to a manufacturer such as HTC. Then, it may have to go through carriers before it finally reaches users. However, for most devices, that update either doesn’t arrive in a timely manner, or it doesn't land at all.

The QuadRooter vulnerabilities can provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio. Google may soon be able to offer some protection through its “Verify Apps” anti-malware service, but until then Check Point has a QuadRooter Scanner app available to verify if your device is still vulnerable.

Updated, 8/09/2016, 10:45pm PT: Qualcomm contacted Tom's Hardware with an official statement about this issue, saying it has already released a patch, which has already been published on CodeAurora. However, it will now still be up to smartphone makers and carriers to deliver this update to users, which likely won't happen for the majority of the affected devices.

"Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies, Inc. (QTI)," said Qualcomm in an official statement. "We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July. The patches were also posted on CodeAurora. QTI continues to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities," the company added.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • targetdrone
    If the S7 is affected so too is the $850+ Note 7.
    Reply
  • elho_cid
    Windows 10 Mobile and chill :)
    Reply
  • turkey3_scratch
    This is why I don't do anything important on my phone anyway. They can see my Pokemon Going all they want for all I care :lol:
    Reply
  • We keep hearing about these "massive vulnerabilities", but I've yet to see any actual real case exploit. Same thing with stagefright, and all those other "theoretical" problems.
    Reply
  • kenjitamura
    18410690 said:
    We keep hearing about these "massive vulnerabilities", but I've yet to see any actual real case exploit. Same thing with stagefright, and all those other "theoretical" problems.

    Google was probably also informed of the exploit at the same time as Qualcomm and started screening for applications that exploit the bugs before allowing them on the play store. So as long as people only get their apps from the play store they'd never be exposed to this problem. The only people that could have been affected by this are the ones that manually download apps off the internet and select "allow installation of unofficial apps" in the security settings of their Android phone.
    Reply
  • Hydrotricithline
    Is there anyway an end user and patch their phone, being a coding idiot myself. I own a oneplus two .. with 4 vulnerabilities including these ones.. or do we just sit and hope the carriers eventually pass us the patch?
    Reply
  • scook9
    18410690 said:
    We keep hearing about these "massive vulnerabilities", but I've yet to see any actual real case exploit. Same thing with stagefright, and all those other "theoretical" problems.

    In the article they mentioned that Qualcomm (and likely Google) were notified this spring, about 4-5 months ago. It is a safe bet that the monthly security update from google immediately following the notification included patches to fix the problem as well as updates to the AOSP base as well reflecting the patches. What the other manufacturers do from there though is not up to Google. Personally, this is one of the reasons I only plan on owning Nexus phones that get a monthly update from now on (that and I hate the OEM skins polluting the interface)
    Reply
  • andy_newton
    @elho_cid Only if your device has a non-qualcomm chipset
    Reply
  • andy_newton
    With so many logical fallacies, this author will not make it past English 101 if he takes the class in City College of San Francisco. So don't worry about a single word he writes.
    Reply