Quadrooter Flaw in Qualcomm Chips Puts 900M Android Devices At Risk

[RV_]

This just released at DefCon Sunday.

 

Excerpt:

 

"Four vulnerabilities found in Qualcomm chips used in 900 million Android devices leave affected phones and tablets open to attacks that could give hackers complete system control. Researchers at Check Point who found the flaw are calling the vulnerability Quadrooter and say that a patch isn’t expected to be available to most users until September.

 

The privilege escalation vulnerabilities were revealed at a DEF CON talk on Sunday by Check Point’s Adam Donefield, the company’s lead mobile security researcher. The flaws are in multiple subsystems of the Qualcomm chipset and impact top Android handsets including Samsung, HTC, Motorola, and LG phones.

 

A list of impacted Android devices include:
•BlackBerry Priv
•Blackphone 1 and 2
•Google Nexus 5X, 6 and 6P
•HTC One M9 and HTC 10
•LG G4, G5, and V10
•New Moto X by Motorola
•OnePlus One, 2 and 3
•Samsung Galaxy S7 and S7 Edge
•Sony Xperia Z Ultra"

 

The full article with details is here: https://threatpost.com/quadrooter-flaw-in-qualcomm-chips-puts-900m-android-devices-at-risk/119713/

[Pieere]

I am so sick of these attackers! My phone is a Kyocera from Cricket! I used the QuadRooter Scanner by checkPoint downloaded from PlayStore and it came up with:

CVE-2016-2060

CVE-2016-2059

CVE-2016-2503

CVE-2016-2504

CVE-2016-5340

 

it asks to select Protect your Enterprise! They want my name, email adress!

Or ask me to install ZoneAlarm!

 

I am seriously thinking to just throw the Smartphone in the trash and going back to my old Flip-phone!

[Pat & Pete]

Some folks aren't smart enough to live without a smart phone .

[budeneighe]

Smart phones are a good addiction as long as one really learns how to benefit from it. Most everyone else is a potential statistic.

[Bill Joyce]

It is not as bad as they want you to believe - http://www.computerworld.com/article/3105569/android/android-quadrooter.html.

 

"Yeah, right. Here's the all-important asterisk being omitted from Check Point's thinly veiled publicity campaign for its product: A "mobile threat detection and mitigration solution" is already present on practically all of those 900 million Android devices. It's a native part of the Android operating system called Verify Apps, and it's been present in the software since 2012."

[RV_]

Thanks Bill! As a friend I take no umbrage at your disagreeing with the article I posted. The guy who wrote the denial article you quoted was talking about malware in apps in his boilerplate denial article, and appears totally mixed up as these vulnerabilities were for chipset flaws and escalation of privileges via that path, not bad Apps from the store. He said in effect that there were no vulnerabilities.

 

My linked article above was from ThreatPost. The folks who found and alerted Qualcomm properly were from Check Point software. Threatpost is a publication of Kaspersky. If Check Point, their competitor, was posting fake vulnerabilities, would not Kaspersky slam them instead of pass the word along?

 

JR Raphael, the author of the big denial article you linked to Bill, is the one posting clickbait. Clickbait works both ways. I try, usually successfully, to disregard "Sky is Falling" clickbait posts by the ignorant. I also try to avoid taking "The sky is not falling" clickbait posts seriously, when I have already checked the source. Every Linux and Android developer knows Aurora. They can check easily too.

 

The first thing I'm going to say is that you don't go into DefCon and try to BS the best security researchers and malware fighters on the planet.malware defenders on the planet. This was not a case of a reporter sensationalizing something to get clicks. It is a genuine concern that it can be a year before some patches filter down to the end users because of low priorities assigned them by some vendors. IT can be safely assumed that Google's Nexus products are first to get patched despite the patches being shared at the same time. Others may take a year or not at all if the company refuses to support an older device or version of Android.

 

Bill let's see if Qualcomm agreed with Check Point, issued patches, and is working on another now? Below is from the link I gave above - the last two paragraphs.

 

"Check Point disclosed its research to Qualcomm in April, after which Qualcomm classified the vulnerabilities as high severity and issued driver patches to device makers Samsung, HTC, Motorola, LG and others. But because of the fragmented relation between an end-user devices, wireless carriers, OEMs and component chip makers, Check Point said it could takes weeks to months before patches reach the actual devices. “A number of factors contribute to Android fragmentation including different Android builds for different device makers, models, carriers and distributors,” Check Point explains."

 

Google deployed patches for its Nexus 5X, Nexus 6, and Nexus 6P Nexus for three of the four security flaws, however one of the patches is still outstanding and expected in September, according to Check Point."

 

This new article came in just an hour ago, and the one under it today earlier. Under both of those, From July 28, 2016, are the thanks from Qualcomm to Check Point Software for finding them, and disclosing them to them professionally giving time for patches.

 

Perhaps I am reading this article from an hour ago wrong?

 

"Today's topics include the vulnerabilities found in a Qualcomm chipset that put 900 million Android devices at risk, the patch to a critical security flaw in the Fedora Linux Account System, the sudden departure of the CTO for Google’s self-driving car project and Google's acquisition of cloud software marketer Obitera.

 

A set of security vulnerabilities in Qualcomm chipsets has put 900 million Android smartphones and tablets at risk of being taken over by hackers, according to researchers at security technology vendor Check Point Software.

 

At the DefCon 24 show in Las Vegas Aug. 7 and in a post on the company blog, Adam Donenfeld, a security researcher with Check Point outlined the four vulnerabilities that he has pulled together under the name QuadRooter.

 

The security flaws in the Qualcomm chipsets would allow hackers to gain unrestricted access to personal and corporate information stored on the affected Android devices, Donenfeld wrote in the blog post. Check Point reported the vulnerabilities to Qualcomm between February and April and the vendor has released fixes for all four.

 

http://www.eweek.com/security/qualcomm-vulnerabilities-put-900-million-android-devices-at-risk.html

 

And this from earlier today:

 

"Four new vulnerability exploits were discovered recently on over 900 million Android smartphones, with Qualcomm chipsets found to be the root cause of the issue, according to research by Check Point, a firm dedicated to providing people with protection against digital threats. Qualcomm was notified by the researchers about the issue earlier this year, and responded by making patches available for all four vulnerabilities to customers, partners, and the open source community between April and July.

 

Researchers from Check Point detected the vulnerabilities affecting all Android devices running a specific Qualcomm chipset. Since the vulnerabilities are found in the software drivers Qualcomm ships with its chipsets, and since said drivers are pre-installed on devices straight out of the factory, they can only be fixed by installing a patch from the distributor or operator.

 

According to Check Point, the vulnerabilities, known as QuadRooter, can give attackers complete control of devices and unrestricted access to sensitive, personal and enterprise data which may be stored on the device. Check Point presented the results of its research at hacking and information security conference Defcon.

 

"Following recent security issues discovered in Android, Google made a number of changes to tighten security across its fragmented landscape," said Adam Donenfeld, Senior Security Researcher, Check Point. "However, Google is not alone in the struggle to keep Android safe. Qualcomm, a supplier of 80 percent of the chipsets in the Android ecosystem, has almost as much effect on Android's security as Google. With this in mind, we decided to examine Qualcomm's code in Android devices. During our research, we found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android devices.”

 

Qualcomm responded to the issues discovered by Check Point by releasing patches on Code Aurora, for users to protect their devices from the vulnerabilities. The website highlights security vulnerabilities in QulC-authored KGSL Linux Graphics Module and in IPC router kernel module. The vulnerabilities were detected on all Android releases from CAF using the Linux kernel, commonly used worldwide in devices.

 

Qualcomm Innovation Center (QuIC) openly acknowledges Check Point on the Code Aurora patch pages, giving thanks to Adam Donenfeld from Check Point Software Technologies “for reporting the related issues and working with QuIC to help improve device security.”

 

“Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies, Inc. (QTI),” said Qualcomm in a press statement. “We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July. The patches were also posted on Code Aurora. QTI continues to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities.”

 

That here: http://activetelecoms.com/news/telecom-industry/telecom-vendors/how-qualcomm-responded-to-vulnerabilities-affecting-a-specific-chipset-exposed-by-check-point

 

But let's see what Qualcomm and the Linux Project Aurora files say about Donenfield and Check Point:

 

"Patch:

 

We advise customers to apply the following patches:

Individual Patches
•CVE-2016-5340:
https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=06e51489061e5473b4e2035c79dcf7c27a6f75a6

Acknowledgement:

 

Qualcomm Innovation Center, Inc. (QuIC) thanks Adam Donenfeld et al. (Check Point Software Technologies Ltd.) for reporting these issues and working with QuIC to help improve the security of QuIC products."

 

That can be found here: https://www.codeaurora.org/invalid-path-check-ashmem-memory-file-cve-2016-5340

 

The presumed asterisk and the immediate denial kicking in is expected Bill, but not usually from you. No offense taken or given.

 

Rather than go to the source, in this case Qualcomm, many folks who don't look before they leap, publish the types of boilerplate denial articles with no specific source for their articles, as with your earlier link Bill.

 

Apparently QUALCOMM moved rapidly, unlike some companies, to issue patches, to protect their users, in this case reported with proper confidential disclosure by Check Point.

 

For those wondering, yes, the very people who provide protection methods like anti malware software do indeed participate in annual contests to find vulnerabilities like pwn2own, Black Hat etc. The industry accepted way to disclose these vulnerabilities is to give them to the company before disclosing publicly, and then disclosing once patches were made available.

 

The incentives are both in reputation and in money when folks disclose new zero day vulnerabilities properly in secret, until the company has a chance to patch.

 

Because the Android communities are so fragmented folks would do well to check if they have the vulnerable hardware, and if their vendor has patched them as Google did its Nexus products among other vendors. The concern was not whether there were vulnerabilities or not. The reason I posted is so folks like you Bill could check your devices and vendors.

 

If you run an Android Phone, it would be wise to call your vendor and check if they are passing the patches down yet.

[Bill Joyce]

Google confirmed that "Verify Apps" will stop these exploits, which is part of Google Play Services. "Verify Apps" can be disabled and some who install apps from somewhere other than the Google Play Store do disable it. That is why Google is fixing the underlying code also, for those more rare cases. Yes, there are 900 million phones with the underlying problem, but it is estimated that over 90% of these are still safe. http://www.androidcentral.com/google-confirms-verify-apps-can-block-apps-quadrooter-exploits has more information.

 

I am using a Nexus 6P as my main phone, so it is getting patched.

[Pieere]

Google confirmed that "Verify Apps" will stop these exploits, which is part of Google Play Services. "Verify Apps" can be disabled and some who install apps from somewhere other than the Google Play Store do disable it. That is why Google is fixing the underlying code also, for those more rare cases. Yes, there are 900 million phones with the underlying problem, but it is estimated that over 90% of these are still safe. http://www.androidcentral.com/google-confirms-verify-apps-can-block-apps-quadrooter-exploits has more information.

 

I am using a Nexus 6P as my main phone, so it is getting patched.

 

According to this if your phone has 4.2 or above then there should not be a problem!