Qualcomm chipsets are generally the processor of choice for many smartphone users, owing to the firm’s powerful graphics hardware and developer-friendly nature. It’s not immune to security flaws though, and its latest vulnerability is a big one.
Security researcher Keegan Ryan discovered the flaw last year, ZDNet reported, allowing cyber-criminals to gain private data and security keys in a secure part of the chipset. Ryan has since published a white paper on the flaw this week, noting that he was able to extract security keys from a rooted Nexus 5X.
Meanwhile, Qualcomm has confirmed that it patched the vulnerability, which it categorized as ‘critical.’ This is Qualcomm’s highest rating for security flaws; the firm says ‘critical’ vulnerabilities could allow someone to remotely control a device.
Google’s Android Security Bulletin notes that the fix is included in the April 2019 security patches, but many Android manufacturers have skimped on security updates in the past. So that means people with older devices are still left at risk of being affected by the flaw. In fact, Qualcomm has confirmed that the vulnerability affects over 40 chipsets, including laptop, smartwatch, and automotive silicon.
Some of the more prominent smartphone chips affected by the flaw include the Snapdragon 200 series, Snapdragon 400 family (bar the Snapdragon 400 itself, it seems), Snapdragon 625, Snapdragon 636, Snapdragon 660, Snapdragon 670, Snapdragon 710/712, Snapdragon 820, Snapdragon 835, and Snapdragon 845. You can check out the full list over at Qualcomm’s product security bulletin.
If you own a phone with one of these chipsets and haven’t received the April 2019 security patch, then you should nag the manufacturer. Google has taken action in this regard, reportedly mandating two years of security patches in contracts with manufacturers, but brands often fall behind in their timely delivery. It’s high time they took full responsibility.