Qualcomm confirms that multiple security vulnerabilities on QSEE component in chipsets affect hundreds of millions of Android devices

Qualcomm has confirmed that the company’s various chipsets have security flaws. These chipsets have been applied to hundreds of millions of Android devices around the world. The researchers revealed that the vulnerability primarily allows attackers to retrieve private data and encryption keys stored in secure areas of Qualcomm’s secure execution environment which called Qualcomm Secure Execution Environment (QSEE). The QSEE is similar to the Intel Software Guard Extensions (SGX) and is primarily used to protect software data.

Snapdragon 8cx 5G

Qualcomm confirmed the vulnerability and said it has released a security update blocking vulnerability earlier this month. Next, Android device manufacturers are required to push new firmware. However, everyone knows that most Android device manufacturers have slower firmware updates, especially many older models are not updated directly. This means that many Android smartphones and tablets will be threatened in the next few years until the old equipment is retired to smooth out these vulnerabilities.

The Qualcomm Secure Execution Environment is actually the hardware isolation area on the chipset. Android systems and applications can safely process data in this environment. This security data are isolated from each other and is not read by other applications. This way, the application can protect the security of confidential data. For example, when the user logs in, the relevant key is stored in the isolated area of ​​the secure execution environment, and the application cannot read the password except the login application. The main problem is the cryptographic signing algorithm implemented by Qualcomm, which allows an attacker to retrieve the encryption key stored in the quarantine. After the encryption key, the attacker can theoretically read the security data of any application, and the attacker can even use the vulnerability to read the confidential data of the Android system.

All of Qualcomm’s mainstream processors are affected:

IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130

Via: ZDNet