Qualcomm Vulnerabilities Put 900 Million Android Devices at Risk
The four chipset bugs could be exploited by attackers to gain control of a smartphone or tablet and access sensitive data, according to Check Point.A set of security vulnerabilities in Qualcomm chipsets has put 900 million Android smartphones and tablets at risk of being taken over by hackers, according to researchers at security technology vendor Check Point Software Technologies. At the DefCon 24 show in Las Vegas on Aug. 7 and in a post on the company blog, Adam Donenfeld, a security researcher with Check Point outlined four vulnerabilities that he has pulled together under the name QuadRooter. The security flaws in the Qualcomm chipsets open up the Android devices to being taken over by hackers who can gain control and unrestricted access to personal and corporate information on them, Donenfeld wrote in the blog post. Check Point reported the vulnerabilities to Qualcomm between February and April, and the vendor has released fixes for all four. However, Qualcomm's position as the world's largest mobile chip maker has put a wide range of devices at risk, and the fragmented nature of the Android market presents challenges to ensuring that all the smartphones and tablets can be protected in a timely fashion. "QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets," Donenfeld wrote. "Qualcomm is the world's leading designer of LTE chipsets with a 65 percent share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device. … If exploited, QuadRooter vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them. Access could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio."
In a statement to journalists, Qualcomm officials said the company had "made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July."