900 million Android devices host vulnerable Qualcomm drivers

— 3:50 PM on August 8, 2016

It's August, and we're at the height of the summer season. That means beaches, hot weather, cold beer, and large-impact Android device vulnerabilities. The folks at Check Point are at DEF CON 24, where they made a presentation on QuadRooter, a tetra-whammy of security vulnerabilities in Qualcomm device drivers. According to Check Point, Qualcomm's chipsets are used in an estimated 65% of Android devices, which works out to a count of roughy 900 million units. Furthermore, since the vulnerabilities exist at the driver level, the security experts warn that any malicious application can exploit them to gain complete access to all of the device's software and data.

Check Point has made a report available with technical details about each of the vulnerabilites. The list of affected phones includes the majority of the latest-model headsets from all the high-end manufacturers. That means that affected handsets include the Galaxy S7, Nexus 5X and 6P, HTC 10, and Moto X, among others. The security company offers an app that users can install to check if their handsets are affected.

However, there's little that users can do to protect themselves from this vulnerability, short of waiting that their carrier and/or manufacturer release software fixes. Check Point recommends the usual preventive measures: not rooting the phone or sideloading applications, being careful with the selection of apps, and not connecting to untrusted Wi-Fi networks.

The security researchers notified Qualcomm of these vulnerabilities back in April. Qualcomm then dutifully provided OEMs with fixed versions of its drivers. The problem, however, lies in the fragmented Android ecosystem.  It's likely that only the latest and highest-end handsets will ever see patches, which tend to come out late rather than soon. Then there's the problem that carrier-subsidized phones require separate updates of their own. It's not all gloom, though. Google, for example, is already at work releasing patches.

For those of a more technical persusasion, the vulnerabilities are as follows: the first one, CVE-2016-2059, affects the IPC router module. The second, CVE-2016-5340, lies in Android's kernel shared memory subsystem, and the last two (CVE-2016-2503 and CVE-2106-2504) affect the Qualcomm GPU drivers.

Tip: You can use the A/Z keys to walk threads.
View options