Qualcomm Chip Flaw Leaves 900m Android Devices Open to Attack

Four vulnerabilities found in Qualcomm chips used in 900 million Android devices leave affected phones and tablets open to attacks that could give hackers complete system control. Researchers at Check Point who found the flaw are calling the vulnerability Quadrooter and say that a patch isn’t expected to be available to most users until September.

The privilege escalation vulnerabilities were revealed at a DEF CON talk on Sunday by Check Point’s Adam Donefield, the company’s lead mobile security researcher. The flaws are in multiple subsystems of the Qualcomm chipset and impact top Android handsets including Samsung, HTC, Motorola, and LG phones.

“These are vulnerabilities that allow adversaries to overcome all the existing mitigations in Android’s Linux kernel to run kernel-code, elevating privileges and allowing an attacker to gain root privileges and completely bypassing SELinux,” said Michael Shaulov, head of mobility product management. SELinux (Security-Enhanced Linux) is a is a Linux kernel security component that supports access control security policies on Android subsystems.

An attacker would need to lure an Android user into downloading a malicious app that may seem benign at the point of installation because no special permissions are required for the vulnerabilities to be exploited.

A list of impacted Android devices include:

• BlackBerry Priv
• Blackphone 1 and 2
• Google Nexus 5X, 6 and 6P
• HTC One M9 and HTC 10
• LG G4, G5, and V10
• New Moto X by Motorola
• OnePlus One, 2 and 3
• Samsung Galaxy S7 and S7 Edge
• Sony Xperia Z Ultra

The vulnerabilities are tied to Qualcomm’s software drivers that control communication between chipset components. “Each one of these vulnerabilities are unique and affect four key modules in Android subsystems,” Shaulov said.

One of those vulnerabilities (CVE-2016-5340) is tied to a propriety memory allocation subsystem in Android called ashmem that enables processes to efficiently share memory buffers. “Devices using Qualcomm chipsets use a modified ashmem system that provides easy access to the subsystem API from the GPU drivers,” according to a technical analysis of the vulnerability.

Two use-after-free flaws are tied to race conditions in Qualcomm’s GPU component called KGSL (Kernel Graphics Support Layer), a kernel driver that renders graphics. The first of the two (CVE-2016-2503) is tied to how the KGSL driver “kgsl_sync” synchronizes between the CPU and the apps.

“The function is prone to a race condition flaw, where two parallel threads call the function simultaneously… This drops the refcount of a syncsource object below 0, exposing itself to a use-after-free attack,” Check Point writes.

The other use-after-free vulnerability (CVE-2016-2504) is found in the KGSL driver when a module creates a GPU memory object called “kgsl_mem_entry”. Check Point describes: “Since a user-space process can allocate and map memory to the GPU, it can both create and destroy a kgsl_mem_entry… Since there’s no access protection enforced, another thread can simply free this object, invoking an use-after-free flaw.”

Another flaw (CVE-2016-2059) is tied to the Linux IPC (inter-process communication) router module of the Qualcomm chip. This component provides inter-process communication capabilities for various Qualcomm components, user mode processes, and hardware drivers, Check Point said.

“A kernel module introduced by Qualcomm, called ipc_router, contains the vulnerability… The vulnerability’s exploit goal is to gain root privileges while disabling SELinux,” the report says.

Check Point disclosed its research to Qualcomm in April, after which Qualcomm classified the vulnerabilities as high severity and issued driver patches to device makers Samsung, HTC, Motorola, LG and others. But because of the fragmented relation between an end-user devices, wireless carriers, OEMs and component chip makers, Check Point said it could takes weeks to months before patches reach the actual devices. “A number of factors contribute to Android fragmentation including different Android builds for different device makers, models, carriers and distributors,” Check Point explains.

Google deployed patches for its Nexus 5X, Nexus 6, and Nexus 6P Nexus for three of the four security flaws, however one of the patches is still outstanding and expected in September, according to Check Point.