Security researchers from Check Point have found an incredible 400 vulnerabilities within code sections of the Qualcomm Snapdragon digital signal processor (DSP) chip found in approximately 40% of the world’s smartphones: high-end devices from Google, OnePlus and Samsung included. Indeed, that’s most nearly all Android smartphones, or hundreds of millions of devices, to put the gravity of this into some context.


MORE FROM FORBESThis Sublime Samsung Security App Has 1 Billion Downloads, Here’s Why

More details will be revealed during a “DSP-Gate” presentation by Check Point researcher Slava Makkaveev at DefCon 2020 on Friday 7. For now though, here is what is known; I hope you are sitting down.



The Android smartphone attack threats listed


Check Point says that the three main consequences of an attacker successfully exploiting these vulnerabilities are as follows:


Spying. Your Android smartphone could be turned into a spying device, with no user interaction required, photos copied, calls recorded, location data exposed and real-time microphone data captured.


Data theft. Malicious activity could be hidden, with malware going unnoticed and, the researchers say, unremovable by the user.


Bricking. The Android device could be rendered useless by way of continual denial of service attack, in effect, bricking your phone.



MORE FROM FORBESApple Just Made It Easier To Hack An iPhone-Here’s Why That’s Mostly A Good Thing

Exploiting the Snapdragon Android vulnerabilities


All that it would take, according to the Check Point research, to exploit these vulnerabilities would be for an attacker to persuade a user to install a benign-looking application requiring no permissions at all.


The vulnerabilities, all disclosed to and acknowledged by Qualcomm, have been given the following CVE numbers: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.


The chip manufacturer has already notified all relevant vendors and, indeed, patched the vulnerabilities. Still, given the fractured nature of the Android ecosystem, the threat will remain viable until everyone has had security updates from their phone vendors and networks.


“Although Qualcomm has fixed the issue, it’s sadly not the end of the story,” Yaniv Balmas, head of cyber research at Check Point, said, “hundreds of millions of phones are exposed to this security risk.”


MORE FROM FORBESGoogle Still Tracks App Users When They’ve Opted Out, Privacy Lawsuit Alleges

Fractured Android ecosystem slows mitigation


Balmas says that it could take months, possibly even years, to mitigate this risk from all Android devices completely. “If such vulnerabilities are found and used by malicious actors,” Balmas added, “there will be tens of millions of mobile phone users with almost no way to protect themselves for a very long time.”


Check Point said it would not publish the technical details of the vulnerabilities to prevent giving attackers the upper hand. So, for now at least, consumers need to wait patiently for the updates to arrive and install them as soon as they do.


It should be noted that these vulnerabilities do not impact Apple iPhones.


A Qualcomm spokesperson has provided me with the following statement:


“Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”