Security researchers have uncovered hundreds of security flaws in the Digital Signal Processor units (DSP chips) manufactured by Qualcomm Technologies that allowed hackers to spy on Android device users and exfiltrate information such as call recordings and location data.
These flaws were discovered when security researchers at Check Point decided to take a look at Qualcomm's DSP chips that are installed in millions of smartphones across the world. DSP chips are primarily used for processing audio signals and decoding MP3 files and are, therefore, widely used in audio products such as smartphones, smart speakers, headphones, and professional equipment.
Aside from supporting various audio features, Digital Signal Processors also provide quick charging abilities and also support multimedia experiences such as video, HD Capture, and advanced AR abilities.
Qualcomm Technologies primarily use the Hexagon Digital Signal Processor (DSP) as their flagship DSP chip with both CPU and DSP functionality to support deeply embedded processing needs of smartphones for both multimedia and modem functions.
"It is an advanced, variable instruction length, Very Long Instruction Word (VLIW) processor architecture with hardware multi-threading. The Hexagon architecture and family of cores provides Qualcomm Technologies a competitive advantage in performance and power efficiency for modem and multi-media applications and is a key component of all of Qualcomm’s Snapdragon™ processors," says Qualcomm. Hexagon DSP chips are embedded in all Snapdragon SoCs for smartphones.
According to security firm Check Point, Qualcomm's DSP chips were found containing "more than 400 vulnerable pieces of code" that allowed attackers to exfiltrate photos, videos, call-recording, real-time microphone data, GPS and location data, etc. from smartphones, and render smartphones non-functional by making all the information permanently unavailable.
All the security vulnerabilities in the chips have been documented and have been assigned vulnerability codes CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209.
"While DSP chips provide a relatively economical solution that allows mobile phones to provide end users with more functionality and enable innovative features– they do come with a cost. These chips introduce new attack surface and weak points to these mobile devices.
DSP chips are much more vulnerable to risks as they are being managed as “Black Boxes” since it can be very complex for anyone other than their manufacturer to review their design, functionality or code," the firm said.
It added that due to the “Black Box” nature of DSP chips, fixing security flaws in such chips requires a long chain of communication between many vendors, manufacturers, and resellers. It is very challenging for mobile vendors to fix security flaws unless such flaws are first addressed by the chip manufacturer.
Responding to Check Point's findings, Qualcomm issued a brief statement, stating that they are validating the issues highlighted but there is no evidence yet on security flaws in DSP chips being exploited by malicious entities.
“Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs.
“We have no evidence it is currently being exploited. We encourage end-users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” they said.