Catch up on stories from the past week (and beyond) at the Slashdot story archive
Millions of Android Phones At Risk Due to ‘Achilles’ Flaw in Qualcomm Chips (gizmodo.com) 13
Attackers would only have to convince someone to install a seemingly benign app that bypasses usual security measures. Once that’s done, an attacker could turn the affected phone into a spying tool. They’d be able to access a phone’s photos, videos, GPS, and location data. Hackers could potentially also record calls and turn on the phone’s microphones without the owner ever knowing. Alternatively, an attacker could choose to render the smartphone completely unusable by locking all the data stored on it in what researchers described as a “targeted denial-of-service attack.” Lastly, bad actors could also exploit the vulnerabilities to hide malware in a way that would be unknown to the victim, and unremovable.
Part of why so many vulnerabilities were found is that the DSP is a sort of “black box.” It’s difficult for anyone other than the manufacturer of the DSP to review what makes them work…
The article notes that Qualcomm has no evidence of the vulnerability being exploited in the wild, adding that the company has “reportedly since fixed the issue.”
But they also note that it’s still up to individual phone makers to push out the relavant security paches, “which could take some time.”
But they also note that it’s still up to individual phone makers to push out the relavant security paches, “which could take some time.”
…Like forever, in the case of the vast majority of Android phones in User’s hands.
Not forever!
That is totally unfair!
It’ll happen way before the end of the heat death of the universe! [youtu.be]
Just be Google.
Or get an NSL, of course.
- by DogDude ( 805747 ) on Saturday August 08, 2020 @02:47PM (#60380601)“Attackers would only have to convince someone to install a seemingly benign app that bypasses usual security measures. Once that’s done, an attacker could turn the affected phone into a spying tool. They’d be able to access a phone’s photos, videos, GPS, and location data. Hackers could potentially also record calls and turn on the phone’s microphones without the owner ever knowing.”
Isn’t that what all “apps” do on phones? Not trying to be a smartass here, but I had to use an Android phone for a little bit, and every “app” that I had to use had access to all of those things.
The other articles I saw on this mentioned it was a bug with the DSP used with video decode and that the vulnerability could be trigger just by going to a website with autoplay video. “The vulnerabilities can be exploited when a target downloads a video or other content that’s rendered by the chip.” [arstechnica.com]
No. The key phrase is: “seemingly benign app that bypasses usual security measures”
In other words it relies on other zero day vulnerabilities to get root before it can even start screwing with the DSP code. If it has root you are screwed anyway, it can already turn your phone into a spy tool.
Since you say you have barely used Android I’ll clarify that normal apps don’t have root, and can’t get root. They can’t even ask the user for it, because the user can’t get it either. Literally the only way is to use a
Attackers would only have to convince someone to install a seemingly benign app that bypasses usual security measures.
Not this shit again. “Hundreds of bits of vulnerable code” if you open the front door…
- by znrt ( 2424692 )
indeed, but the point is that any app with legitimate access to the dsp might use that to get unauthorized access or brick the phone. it essentially renders the permission system moot.
it is a considerable screw up. app vendors can do little until the provider sanitizes those hexagon sdk’s libraries first. users should be extra wary of the permissions they give for a while.
That’s dozens of bytes!
It’s only a little glitch in the coming technocracy of chipping for tracking and controlling people and all their related information.
We have China to show us how.Do not pay attention to all the other endless tech industry glitches behind the curtain. This don’t look instruction is especially for tech people. Just keep your eyes on the $$$. The fails sum doesn’t really add up to a massive fail. We have Murphy to prevent it.
Attackers would only have to convince someone to install a seemingly benign app that bypasses usual security measures.
This is very ambiguous. “Usual security measures”? That could mean anything from “you have to allow the app access to camera/storage/mic/etc.” to “only works on rooted phones.” Without more information it’s difficult to know if this a serious problem (the former case) or a big nothing burger (the latter). I mean, seriously, if you have the technical chops to root your phone you’re probably going to be competent enough to avoid obvious malware or the superfluous apps that sometimes hide it.
The ars [arstechnica.com] article linked above [slashdot.org] gives some insights in the first couple of paragraphs.
It appears that in this context “usual security measures” means the app permission system. It seems that even a web video could jump the data/code barrier in the DSP and that if someone wanted to they could also do it silently from an app with no permissions. It’s as bad as stagefright or maybe even worse.
There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.
Related Links Top of the: day, week, month.
- 391 commentsAsk Slashdot: How Long Do You Expect Your Smartphone To Last?
- 314 commentsLet’s Get Real About How Important Our Phones Are
- 311 commentsDriver Stranded After Connected Rental Car Can’t Call Home
- 254 commentsBill Gates Thinks Windows Mobile Would Have Beaten Android Without Microsoft’s Antitrust Woes
- 198 commentsA $350 ‘Anti-5G’ Device Is Just a 128MB USB Stick, Teardown Finds
Slashdot Top Deals
- Get more comments
- 13 of 13 loaded
God made machine language; all the rest is the work of man.