Android Devices Using Qualcomm Chips Can Be Hacked

Do you have an Android device?  Is it built around a Qualcomm chipset?

If so, be advised that you may be at risk.

According to a report recently published by security firm CheckPoint, a recently discovered flaw could allow hackers to steal a variety of sensitive information on your phone or tablet.

The vulnerability resides in the QSEE, or “Qualcomm Secure Execution Environment,” which is an implementation of TEE (Trusted Execution Environment) based on ARM TrustZone technology.

This is the technology that guards the most protected parts of a mobile device.  In addition to your personal information, the QSEE is used to house passwords, credit and debit card details, encryption keys, and the like.  Basically, QSEE guards everything else that’s supposed to make your digital life secure, and it has been compromised. That puts millions of Android devices at risk.

CheckPoint’s security researchers had this to say about the issue:

“In a 4-month research project, we succeeded in reverse (engineering) Qualcomm’s Secure World operating system and leveraged the fuzzing technique to expose the hole.

We implemented a custom-made fuzzing tool, which tested trusted code on Samsung, LG, and Motorola devices, which allowed researchers to find four vulnerabilities in trusted code implemented by Samsung, one in Motorola, and one in LG.

An interesting fact is that we can load trustlets from another device as well.  All we need to do is replace the hash table, signature, and certificate chain in the .mdt file of the trustlet with those extracted from a device manufacturer’s trustlet.”

In other words, it’s about as bad as a security issue can get.  If there’s a silver lining, it is that Samsung, Qualcomm, and LG have already released a patch which fixes the issue. So, if you have a device manufactured by any of those companies, head to their website to be sure you get the patch.