Qualcomm has released patches for multiple vulnerabilities in the digital signal processors of its socs. Those vulnerabilities were discovered by Check Point researchers, but hardly any substantive details have been given.
Qualcomm has released patches for the Hexagon DSPs in its chips, which are parts of the Snapdragon socs found in many Android smartphones. The DSPs are used, among other things, for processing audio, video and telecom signals. Smartphone manufacturers must implement and provide the patches themselves for their respective devices.
Last weekend, security company Check Point announced that it would have discovered various vulnerabilities in those DSPs, although the company does not provide details. The vulnerabilities make it possible, according to Check Point, to obtain information and files from smartphones, including photos, videos, real-time microphone recordings and location data of users. No user interaction would be required for this. The vulnerability can also cause phones to crash permanently, causing loss of all data on such a device.
The vulnerabilities have been assigned six CVE codes: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209. However, they are reserved and do not provide concrete information. Both Check Point and Qualcomm do not share any further technical details about the vulnerability, because the chances of ‘this information falling into the wrong hands’ are high, according to the company. Check Point has published the report to ‘create awareness about the vulnerability’.
Qualcomm tells Bleeping Computer that it currently “has no evidence that the vulnerability is being exploited.” The company recommends that users update their devices regularly and only install applications from Google’s Play Store.