Connect with us

Hi, what are you looking for?


Mobile & Wireless

Vulnerabilities in Qualcomm Chips Expose Billions of Devices to Attacks

Security researchers have identified hundreds of vulnerabilities that expose devices with Qualcomm Snapdragon chips to attacks.

Security researchers have identified hundreds of vulnerabilities that expose devices with Qualcomm Snapdragon chips to attacks.

During a presentation at DEF CON last week, Check Point security researcher Slava Makkaveev revealed how vulnerabilities in the compute digital-signal processor (DSP) – a subsystem that enables the processing of data with low power consumption – could open the door for Android applications to perform malicious attacks.

The proprietary subsystem is licensed for programming to OEMs and a small number of application developers, and the code running on DSP is signed, but the security researchers have identified ways to bypass Qualcomm’s signature and run code on DSP.

Vendors can build software for DSP using the Hexagon SDK, and serious security flaws in the development kit itself have resulted in hundreds of vulnerabilities being introduced in code from Qualcomm and partner vendors.

According to Makkaveev, almost all of the DSP executable libraries that come embedded in Qualcomm-based smartphones are exposed to attacks through the issues identified in the Hexagon SDK.

The discovered flaws, over 400 in total, are tracked as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209 and have already been acknowledged by Qualcomm.

Check Point has yet to publish technical details on these vulnerabilities, but says that attackers able to exploit them would require no user interaction to exfiltrate large amounts of information, including users’ photos and videos, and GPS and location data, or to spy on users by recording calls or turning on the microphone.

Denial of service attacks are also possible, with the device remaining permanently unresponsive, thus making the information stored on it unavailable. Furthermore, malicious code installed on the device could hide activities entirely and become unremovable.

Advertisement. Scroll to continue reading.

With Qualcomm’s chips present in approximately 40% of the smartphones out there, including high-end devices from Google, LG, OnePlus, Samsung, Xiaomi, and others, at least 1 billion mobile users are affected by these vulnerabilities.

“Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” a Qualcomm spokesperson told SecurityWeek.

Related: Qualcomm, MediaTek Wi-Fi Chips Vulnerable to Kr00k-Like Attacks

Related: Firm’s MDM Server Abused to Deliver Android Malware to 75% of Its Devices

Related: Samsung Unveils New Security Chip for Mobile Devices

Related: Mobile Malware and Mobile Attackers are Getting More Sophisticated

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.