Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Vulnerabilities in Qualcomm Chips Expose Billions of Devices to Attacks

Security researchers have identified hundreds of vulnerabilities that expose devices with Qualcomm Snapdragon chips to attacks.

Security researchers have identified hundreds of vulnerabilities that expose devices with Qualcomm Snapdragon chips to attacks.

During a presentation at DEF CON last week, Check Point security researcher Slava Makkaveev revealed how vulnerabilities in the compute digital-signal processor (DSP) – a subsystem that enables the processing of data with low power consumption – could open the door for Android applications to perform malicious attacks.

The proprietary subsystem is licensed for programming to OEMs and a small number of application developers, and the code running on DSP is signed, but the security researchers have identified ways to bypass Qualcomm’s signature and run code on DSP.

Vendors can build software for DSP using the Hexagon SDK, and serious security flaws in the development kit itself have resulted in hundreds of vulnerabilities being introduced in code from Qualcomm and partner vendors.

According to Makkaveev, almost all of the DSP executable libraries that come embedded in Qualcomm-based smartphones are exposed to attacks through the issues identified in the Hexagon SDK.

The discovered flaws, over 400 in total, are tracked as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209 and have already been acknowledged by Qualcomm.

Check Point has yet to publish technical details on these vulnerabilities, but says that attackers able to exploit them would require no user interaction to exfiltrate large amounts of information, including users’ photos and videos, and GPS and location data, or to spy on users by recording calls or turning on the microphone.

Denial of service attacks are also possible, with the device remaining permanently unresponsive, thus making the information stored on it unavailable. Furthermore, malicious code installed on the device could hide activities entirely and become unremovable.

With Qualcomm’s chips present in approximately 40% of the smartphones out there, including high-end devices from Google, LG, OnePlus, Samsung, Xiaomi, and others, at least 1 billion mobile users are affected by these vulnerabilities.

“Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” a Qualcomm spokesperson told SecurityWeek.

Related: Qualcomm, MediaTek Wi-Fi Chips Vulnerable to Kr00k-Like Attacks

Related: Firm’s MDM Server Abused to Deliver Android Malware to 75% of Its Devices

Related: Samsung Unveils New Security Chip for Mobile Devices

Related: Mobile Malware and Mobile Attackers are Getting More Sophisticated

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.