The Qualcomm chipsets in many Android smartphones have vulnerabilities that could let cybercriminals gain access to passwords and other highly sensitive data stored in the devices. Here is what you need to know about these flaws.

Cybercriminals access the area where passwords, fingerprint scans, payment card numbers, and other highly sensitive data are stored. Check Point security researchers found and were able to exploit these vulnerabilities in Samsung, LG, and Motorola phones. Many other phones are also likely vulnerable, as other mobile device manufacturers use Qualcomm chipsets as well.

Where the Flaws Lie

The security researchers discovered that the vulnerabilities lie in Qualcomm’s Secure Execution Environment, which is the company’s implementation of the Trusted Execution Environment (TEE). Simply speaking, TEE is a secure system environment inside a processor. One of the hardware technologies used to support TEE is TrustZone from Arm.

Arm Cortex-A processors use the TrustZone technology to create two virtual cores — a secure (aka trusted) area called the “Secure World” for security operations and a not-as-secure (aka non-trusted) area known as the “Non-Secure World” or “Normal World” for normal operations. The two worlds are hardware separated, each with its own operating system, storage area, apps, and other components. In the Secure World, trusted apps implement crucial security features such as fingerprint recognition and cryptographic operations. Mobile device manufacturers can also add their own trusted apps for any purpose.

Apps in the Non-Secured World cannot directly access the trusted apps or other resources in the Secure World. Work that must occur between both worlds takes place through software referred to as the “Secure Monitor”. The command handler of a trusted app receives a data from the Non-Secured World through the Secure Monitor.

Despite the separation of the two worlds in Qualcomm’s Secure Execution Environment, researchers found that they could hack the area where highly sensitive data is stored in the Secure World. They did so by using a technique called fuzzing — the injection of a massive amount of random data into a program or system to find bugs and security vulnerabilities in it. In this case, the researchers built a feedback-based fuzzing tool that injected random data into the command handlers of trusted apps on Samsung, LG, and Motorola phones. They found vulnerabilities associated with several of those trusted apps.

The Aftermath

The researchers alerted Qualcomm about the vulnerabilities when they initially discovered them in June 2019. In mid-November 2019, Qualcomm let the researchers know that it fixed the issues and sent updates to the various mobile device manufacturers.

Samsung, LG, and Motorola indicated that they have incorporated the patches into the firmware for the smartphone models they offer or are in the process of doing so. They will be sending the various versions of their updated firmware to the appropriate cellular carriers. The carriers will then test the updated firmware to make sure the changes do not cause any problems. If there aren’t any issues, the carriers will push the updates out to phone users.

What You Need to Do to Protect Your Mobile Device

The vulnerabilities found in the Qualcomm chipset firmware are serious, as hackers could exploit them to steal highly sensitive information. So, if you have an Android smartphone with a Qualcomm chipset, you need to make sure that the latest updates are being installed on your device.

Keeping a mobile device’s firmware and software updated is a good practice no matter who manufactured your phone and its chipset. It is one of several precautions you can take to secure your smartphone. If you would like to learn about the other security measures you can take to protect it, let us know.