More like this

Security

Your unpatchable, insecure Android mobe will feel right at home in the Internet of Stuff era

Qualcomm's broken kernel code is the tip of the iceberg

If you've got a Qualcomm Snapdragon chip in your Android phone and tablet, make sure you grab its latest security updates – if you can.

And if you can't, well, get used to it: the Internet of Things is going to bring more and more un-patchable and insecure electronics onto the market, it's feared.

Researchers at Trend Micro have discovered severe programming blunders in Qualcomm's kernel-level Snapdragon code that can be exploited by a bad app to root the device. In other words, code installed on, or injected into, your phone or tablet can use these flaws to take over the hardware, and turn it against you to snoop on passwords, snap photos of you on the toilet, and so on.

Qualcomm boasts that millions and millions of products use its chips, so these bugs will put a lot of people at risk.

These low-level holes have been patched by Qualcomm. The trouble is getting the fixed code onto people's hardware. The updates have to trickle down from Qualcomm to Google to your device's manufacturer to your network carrier and finally to your handheld over the air. If for whatever reason, security patches are no longer available for your model, or take too long to arrive, that's bad news because it gives miscreants time to exploit the flaws to gain control of your handheld.

And if you don't have a Snapdragon-based gadget, well, there are plenty of other Android security flaws that need patching – from mediaserver bugs that can be exploited by video messages to MediaTek Wi-Fi drivers giving apps kernel-level access just this month.

Nexus 5X, Nexus 6P, Nexus 6, Nexus 5, Nexus 4, Nexus 7, Nexus 9, and Nexus 10 devices get their patches direct from Google automatically, so they're safe from the vulnerabilities; your mileage may vary for other devices. Alternatively, you could install a custom firmware like Cyanogen, which grabs and emits Android patches as soon as they are ready.

"We believe that any Snapdragon-powered Android device with a 3.10-version kernel is potentially at risk," said Trend engineer Wish Wu. "Given that many of these devices are either no longer being patched or never received any patches in the first place, they would essentially be left in an insecure state without any patch forthcoming."

In testing, Trend found its Nexus 5, 6 and 6P, and Samsung Galaxy Note Edge used vulnerable versions of Qualy's code, although it doesn't have access to every handset and tablet to test so the list is non-exhaustive. The broken code is present in Android version 4 to 6.

Trend's Noah Gamer thinks the state of Android security doesn't bode well for the Internet of Things, where Google's operating system will play a role: "Smartphones aren't the only problem here. Qualcomm also sells their SoCs to vendors producing devices considered part of the Internet of Things, meaning these gadgets are just as at risk.

"If IoT is going to be as widespread as many experts predict, there needs to be some sort of system in place ensuring these devices are safe for public use. Security updates are an absolute necessity these days, and users of these connected devices need to know what they're dealing with."

The first Qualcomm-related flaw (CVE-2016-0819) allows a small section of kernel memory to be tampered with after it is freed, disclosing sensitive information about the kernel's state. It was patched this month.

The second flaw (CVE-2016-0805) is in the Qualcomm chipset kernel function get_krait_evtinfo, which returns an index into an array used by other kernel functions. By passing carefully crafted input data, it's possible to generate a bad index, leading to a buffer overflow. This was patched last month.

Used together on vulnerable devices, Trend's researchers say root access can be gained. The team is sitting on the details of exactly how to leverage the bugs until the Hack In the Box Security Conference in May. Once that's out, however, Android smartphone users had better get patching.

While Google will no doubt be looking for apps that exploit the flaws, its scanning systems are far from perfect, and any poorly policed third-party app stores will no doubt wind up featuring free games that carry an unpleasant payload. ®

Sponsored: Global DDoS threat landscape report