Slashdot Mirror

← Back to Stories (view on slashdot.org)

Qualcomm Snapdragon SoC Vulnerability Could Compromise IoT Security (betanews.com)

Posted by msmash on from the internet-of-vulnerable-things dept.

Reader Mark Wilson writes: One of the greatest concerns surrounding the growth of the Internet of Things (IoT) is its security, and it seems that some people's worst fears have just been realized. Security experts at Trend Micro have discovered a vulnerability in Qualcomm Snapdragon-produced SoC (system on a chip) devices. In fact, it is the same vulnerability that cropped up earlier in the month, affecting Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates, but more concerning is the fact that the same chips are used in IoT devices. The vulnerability makes it possible for an attacker to gain root access to the hardware, and this is worrying in a world of inter-connected devices. In the interests of trying to contain the problem, Trend Micro has not revealed full details of the vulnerability but is using the issue to highlight a serious problem not just for handset owners but also for adopters of the IoT.

57 comments

  1. Completely Wrong by Anonymous Coward · · Score: 4, Informative

    Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates

    manishs, WTF is wrong with you. Didn't you even read the submission? This is outright wrong.

    1. Re:Completely Wrong by AmiMoJo · · Score: 2

      Indeed, all mentioned devices are still getting both OS updates and updates via Play that can mitigate this vulnerability.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Completely Wrong by Anonymous Coward · · Score: 0

      But but... the summary helpfully defined SoC as system on chip!

      Totally unexpected.

    3. Re:Completely Wrong by Anonymous Coward · · Score: 0

      Already fixed, I received the patch yesterday on my Nexus 5:

      http://source.android.com/security/bulletin/2016-03-01.html

    4. Re:Completely Wrong by arglebargle_xiv · · Score: 1

      It's not just that, I was clickbaited into reading the article and its linked article and another linked article trying to track down what a vuln in a "Qualcomm Snapdragon SoC" is, when it has nothing to do with the Snapdragon, it's just some Android vulns. The same software could be running on a 6502 and it'd have the problem. Conversely, a Snapdragon running anything other than the appropriate version of Android is fine.

      So "Qualcomm Snapdragon SoC Vulnerability Could Compromise IoT Security" should really read "Several More Android Vulns Found, Buy a New Phone to Get Your Updated Firmware".

  2. Because IoT is secure by default by Anonymous Coward · · Score: 0

    Please, this is the latest fail in a series of fails.

  3. So what you are saying is by The-Ixian · · Score: 2

    IoT devices may end up creating vulnerabilities in your otherwise secure network?

    Say it ain't so...

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:So what you are saying is by Darinbob · · Score: 1

      Those chips are for phones, most IoT devices don't use anything that large and high power. Although phones themselves are technically "IoT" devices.

  4. A world of interconnected devices? by Viol8 · · Score: 2

    That only exists in the masturbatory fantasies of various techno-evangelist startups and large corps trying to cash in on a fad. In the real world I doubt many people want their white goods networked, or their home heating or their kettle or clothes or any of 101 other everyday objects that function perfectly well standalone and have no reason to be networked or even computerised. But where there's a sucker there's money to be made and the techno sharks are circling.

    1. Re:A world of interconnected devices? by The-Ixian · · Score: 1

      If I have to plug a device into the network in order to have beer fetched and poured into my mouth then SO BE IT!

      --
      My eyes reflect the stars and a smile lights up my face.
    2. Re:A world of interconnected devices? by Anonymous Coward · · Score: 0

      It's being sold as a "luxury". Think of all the people who have 4000 sq ft houses and larger, who are just put off that they have to go to each and every room to turn off the lights before they go off for the weekend to their vacation home, how much "easier" it'd be if they could just click a button on a smart phone app to do it for them. You give them a "solution"? They'll cream their pants as you show it to them.

    3. Re:A world of interconnected devices? by ScentCone · · Score: 4, Informative

      You know what? It IS damn useful to be able to look at an app on my phone while I'm out of the house, and see whether or not the doors are locked, or the outside motion-sensor lights are on, or whether there's suddenly water standing on the basement floor, or if the temperature and humidity in the house has suddenly gone way out of bounds. It's really damn nice to be able to fire up that app and get a real-time look at the dog-cam, or to see which cars are at home in the driveway.

      I do all of this in my router's DMZ.

      It's not about being too lazy to walk into the next room to flip a switch.

      --
      Don't disappoint your bird dog. Go to the range.
    4. Re:A world of interconnected devices? by Anonymous Coward · · Score: 0

      Train a dog to do that. It might mess up the place from time to time but it probably won't steal your identity.

      Or you could put together an irrigation system and lay under the exit spout.

      Utilizing your own limbs might also work, and it'll slow your atrophy.

      also CAPTCHA: nurses

    5. Re:A world of interconnected devices? by Anonymous Coward · · Score: 0

      Why would they have lights on in every room at the same time in the first place?

      A fireplace would be much more efficient if burning cash and emitting carbon is their goal.

    6. Re:A world of interconnected devices? by Anonymous Coward · · Score: 0

      There are ways to do this securely. Sensors are one thing. To do that right, it would pad the data to a blocksize, encrypt it with OpenPGP, and use the private keys for any device connected to it. Then, copy that to a remote server. This way, the remote server has no clue what the data is, the data is fetched via TLS, so there are two layers of encryption, and the user gets the info if their doors are locked.

      For being able to access physical devices, it would be nice to have functionality where an automatic deadbolt can turn to lock it... but cannot unlock it... the deadbolt has to be unlocked via a key or the thumbturn on the inside.

      The problem is that most IoT device makers don't care about security. They do things as fast as their offshored coders can crank out code and build it. People will still buy them, as you can't look at an insecure deadbolt versus a secure deadbolt. Like a former boss in a previous job told me, "Security has no ROI, the only profiters from buying a lock are the lock makers"... that is the attitude in the industry.

      If IoT makers gave a rat's derriere about security, they would use a hub and spoke model, where devices would communicate with a hub (or hubs), and the central hub would be well hardened against attack. The key is to reduce the attack surface. However, there is zero incentive to go secure in this field.

      You can keep that smart fridge. If I pay $2500 for a refrigerator, it will be one that works on natural gas and electric so my beer stays cold in a power outage.

    7. Re:A world of interconnected devices? by Shoten · · Score: 1

      That only exists in the masturbatory fantasies of various techno-evangelist startups and large corps trying to cash in on a fad. In the real world I doubt many people want their white goods networked, or their home heating or their kettle or clothes or any of 101 other everyday objects that function perfectly well standalone and have no reason to be networked or even computerised. But where there's a sucker there's money to be made and the techno sharks are circling.

      Think again.

      I'm terrified of this inter-connectivity myself, but the damn devices are showing up everywhere I look. Locks on doors now have this capability. Nespresso's latest machine has an app. I do sous vide cooking...guess what, the latest immersion cooker out there, from Chef-Steps, can ONLY be controlled via a smartphone! I went to buy a new car a year ago...and I couldn't get one that wasn't a crappy econobox that DIDN'T have a network connection over cellular backhaul for telematics.

      There's a twitter account...a very funny one...called "Internet of Shit." It makes fun of the ridiculous ways in which this trend is going completely over the edge. But even if only half of these products get any traction, that represents an incredible degree of added attack surface to our daily lives. And it looks like there is indeed a lot of traction out there. I see things like the outcry when Google changed their calendar API...and suddenly the first-model of Samsung smart fridges couldn't do calendaring properly. Turns out that a lot of people had those fridges, as insane as they seem to be. (I just got an iPad Mini and mounted it in the kitchen...more secure, upgradeable over time, better-managed, more flexible, better-placed, and I believe it was even a lot cheaper.)

      A good way to see if you're in the movement of a trend is to look backwards. 30 years ago, nobody had a computer. 25 years ago, nobody had a network connection. 20 years ago, the lucky few had dialup Internet, and a bunch of people had "Fischer Price networking," (AOL), and while it wasn't essential, everybody knew about it and pretty much everyone wanted it. Now, most people carry a full-time networked computer in their pocket or purse. You can't job-shop effectively without going online, or having an email address. A staggering amount of individual purchasing takes place over networks using embedded devices like phones, and now entertainment is moving away from vertically-integrated institutions like cable companies to multi-vendor solutions like an ISP for data backhaul, Netflix/Pandora/Hulu/YouTube as the content distributor with tablet/phone/home computer/(Roku|AppleTV|FireTV) as the endpoint. I think I see a trend.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    8. Re:A world of interconnected devices? by edtice1559 · · Score: 1

      Lights use almost no electricity these days.

    9. Re:A world of interconnected devices? by hankwang · · Score: 1

      "It IS damn useful to be able to look at an app on my phone while I'm out of the house, (...) I do all of this in my router's DMZ."

      Huh? What does that mean? I hope that you don't mean that all those webcams are in the DMZ, fully exposed to the internet.

      --
      Avantslash: low-bandwidth mobile slashdot.
    10. Re:A world of interconnected devices? by U2xhc2hkb3QgU3Vja3M · · Score: 1

      I'd be okay with read-only things, but I'll never allow connected devices to control things in my home.

    11. Re:A world of interconnected devices? by Waffle+Iron · · Score: 2

      It IS damn useful to be able to look at an app on my phone while I'm out of the house, and see whether or not the doors are locked, or the outside motion-sensor lights are on,

      It's useful for you, and even more damned useful for criminal hackers.

    12. Re:A world of interconnected devices? by Anonymous Coward · · Score: 0

      "Men, flying about through the air? Preposterous! Excuse me, but I will have nothing to do with such a ridiculous 'venture'. Good day, sir."

      Viol8, March 15th, 1903

    13. Re:A world of interconnected devices? by ScentCone · · Score: 1

      No, the cams push images to a private server, and I browse there. In once case (the real-time dog cam), I had to set up a tunnel for the app, as I can't use it over my own VPN rig. This is indeed all in a state of evolution. Ideally, I'd only talk to an externally provisioned server with good security, and it in turn would talk to the house's gadgets over a carefully established VPN.

      --
      Don't disappoint your bird dog. Go to the range.
    14. Re:A world of interconnected devices? by ScentCone · · Score: 1

      Yes, I suppose that they too might find it interesting to know if my basement is flooding.

      --
      Don't disappoint your bird dog. Go to the range.
    15. Re:A world of interconnected devices? by rthille · · Score: 1

      Especially after my honey-pot has led them down there and locked them in.

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    16. Re:A world of interconnected devices? by Anonymous Coward · · Score: 0

      But why don't you want your home appliances opened to internet? Don't you like them monitoring you and collecting the all so mighty experience improvement data on you? Don't you trust that the vendor who had cheapest offer of the software will fix all the vulnerabilities for decades? You must be a luddite.

  5. "IOT Security" ?????? WTF !!!! by Anonymous Coward · · Score: 1

    If there's one thing that I absolutely *DO NOT* equate with the "Internet of Things" it's security.

    All I seem to read about are devices with idiot back doors, default administrator accounts/passwords etc. It's just like the people creating this crap have been asleep for the last 30 years worth of internet hacking.

    It's all rather sad really as there's no way in hell I'm putting any of these devices into my home.

    1. Re:"IOT Security" ?????? WTF !!!! by Anonymous Coward · · Score: 0

      Or weren't alive for/old enough to comprehend most of it.

    2. Re:"IOT Security" ?????? WTF !!!! by PolygamousRanchKid+ · · Score: 1

      It's all rather sad really as there's no way in hell I'm putting any of these devices into my home.

      If you do put any of these devices into your home . . . it won't be your home for much longer.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    3. Re:"IOT Security" ?????? WTF !!!! by MobileTatsu-NJG · · Score: 1

      Some asshole put my home on bittorrent!

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    4. Re:"IOT Security" ?????? WTF !!!! by Darinbob · · Score: 1

      I work on IoT devices. Security is always a concern. Just because some stupid consumer oriented device does not care about security does not mean that the professionals aren't concerned.

    5. Re:"IOT Security" ?????? WTF !!!! by Anonymous Coward · · Score: 0

      Trouble is most companies define "security" as protecting *their* assets, software, I.P. from the *owner* of the device.

      So, there are lovely "security" features included like signed firmware blobs and anti-tamper hardware switches, but generally they continue to leave SNMPv1 with some hard coded community string, telnetd running with hard coded, unchangeable credentials, HTTPS server running with old cipher suites etc.

      The ones I particularly hate are the ones that cannot DHCP and require some (Windows only) configuration utility just to set the damned IP address!

  6. Snapdragon is not a cheap chip by Snotnose · · Score: 1

    It's Qualcomm's top of the line chip. I don't know what they sell for but my WAG would be at least $20. Kinda hard to justify spending $20 on a CPU for your IoT device you plan to sell for $100.

    1. Re:Snapdragon is not a cheap chip by ChunderDownunder · · Score: 1

      Yes, I call bullshit on the IoT angle.

      With all the hype on rPI 3, Qualcomm chooses *not* to compete in the hobbyist market (cheapest Inforce dev board is $126).

  7. From the horses mouth by OzPeter · · Score: 1

    The real link is Android Vulnerabilities Allow For Easy Root Access

    And from that link:

    Using these two exploits, one can gain root access on a Snapdragon-powered Android device.

    So the click bait headline is that. Click bait. A more correct headline would mention that it is the combination of Snapdragon and Android.

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:From the horses mouth by Anonymous Coward · · Score: 0

      The proof of concept probably used Android to deliver the exploit code. You could probably insert $YOURINSECUREOPERATINGSYSTEM instead.

  8. Crucially missing information... by Anonymous Coward · · Score: 0

    There's some crucially missing information from TFS and TFA that you have to dig up from TF-source: http://blog.trendmicro.com/trendlabs-security-intelligence/android-vulnerabilities-allow-easy-root-access/

    That information being:
    Q. What is the vector?
    A. by running a malicious app

    Q. And what's the danger?
    A. gain root access on the target device

    While the second is obviously pretty bad, the first one means that your proverbial internet-connected toaster should be pretty safe, unless you're in the habit of... installing apps..on your toaster? Even for more reasonable examples, such as an internet-connected fridge where you might have an interface straight to grocery vendors to re-order things, there's very little reason to be installing third party apps - or even provide an interface for doing so.

    Wake me when the proverbial internet-connected toaster can be remotely exploited without user interaction.

    1. Re:Crucially missing information... by Anonymous Coward · · Score: 0

      If the toaster is made by Microsoft, Google or Apple, the software updates are mandatory and each one of them will bring new monopolistic crapware to the system. Therefore every update increases the attack surface or even bing new elements which spy the environment by design. User has no control anymore on stuff they buy, they are just products who will be monetized and exploited in every imaginable way.

  9. Nexus phones recieve monthly updates by Anonymous Coward · · Score: 1

    Not sure where the author got his info. Nexus phones still receive monthly security updates directly from Google.

  10. What happens when the clueless do design by Bearhouse · · Score: 2

    They really tout the Snapdragon as an IoT device? Well, seems so:

    https://developer.qualcomm.com...

    I think these people need to realise that either;

    (a) Your idiot - sorry "IoT" - device is a simple, locked down fairly "dumb" thing that is secured by design, or
    (b) It's a fully-functional computer with a sophisticated OS that presents the same attack surface as a Mac, Windows or Linux box but, unfortunately, without the same knowledge base. i.e. You're going to have to throw serious resources at the thing to make it "secure".
    For a device that will retail for a few bucks....
    Google struggle to do it for Android; what's the betting that these things will continue to be buggy and insecure as hell?

    1. Re:What happens when the clueless do design by Darinbob · · Score: 1

      There's probably some trusting of the hardware that gets in the way too. Hardware says they have secure key storage, so you design with the feature in mind. Later on it turns out the key storage isn't so secure. A full OS like Android should presumably not be dependent upon one chip vendor's features. And yet it happens anyway.

  11. awful article by ico2 · · Score: 5, Informative

    What a terrible article. For two reasons:

    1. Isn't at all clear on what the vulnerability is. It is in fact a bug in the kernel (presumably a device driver for this SoC). I only found this out by reading a different article. This one makes it sound like some sort of problem in the silicon.

    2. Isn't news. This vulnerability is already known.

    We're all becoming sadly more and more used to articles that try to make a story sound bigger by relating it tenuously to some possible impact (every article about some incremental improvement in battery technology needs 4 paragraphs about electric cars, grid storage and longer battery life for phones), but this really does take the piss by not even attempting to cover the actual story and only going on about the potential impact on IoT security.

    Sure, we all need to be aware of the dangers of IoT security (or lack of it), but this is not the way to go about it.

    1. Re:awful article by Darinbob · · Score: 1

      It's slashdot. We have a periodic timer that goes off to post "Dangers With IoT!" stories. This time it just happens to not be Timothy.

  12. Appernet of Apps! by Anonymous Coward · · Score: 0

    Modern app appers know that the Appernet of Apps is 100% appy, unlike LUDDITES like Qualcomm who use the LUDDITE Internet of Things!

    Apps!

  13. I don't know about you... by Anonymous Coward · · Score: 0

    ..but I hug my dumb toaster every morning. I know it's probably only going to kill me if I stick a fork in it to unjam the bread.

    1. Re:I don't know about you... by Zappy · · Score: 1

      Not me, I'm so lonely I need a talking toaster giving me suggestion what to eat...

      https://www.youtube.com/watch?...

  14. Relies on malicious code... by Anonymous Coward · · Score: 0

    From the article: "This attack allows an attacker to escalate the privileges of any code that is executed on a target device. However, this scenario still relies on the attacker getting his malicious code onto the device in the first place. Users should be very careful of installing apps from untrusted sources, especially those outside of the Play Store."

    Unless your IoT device allows you to install some third party software with malicious code, this isn't a concern. I'm not sure how many IoT devices would be running software installed from a 3rd party source. To boil it down, if this exploit affects you, you probably brought it upon yourself. Doubly so if it's an IoT device.

  15. Hilariously Broken by sdinfoserv · · Score: 1

    An article in ARS Techica calls security in IoT hilariously broken and getting worse.

    http://arstechnica.com/securit...

    Being that people have been claiming nobody is paying attention to IoT security, it reminds me of Clark's first Law
    "When a distinguished but elderly scientist states that something is possible, he is almost certainly right."

    1. Re:Hilariously Broken by Darinbob · · Score: 1

      The problem is that IoT covers a range of product. That web article is a mixture of some truth which is used to create hysteria. It claims that there's a minimum amount of work necessary to create a viable product for the consumer. This is true, but everyone knows about this already. What is happening is that they're looking at the worst of the worst products and claiming that all of IoT is this way. I would never myself use any consumer grade IoT device (except for phones, and I barely tolerate them and do extra configuration to increase privacy). But professional level IoT devices to tend to pay attention to security. When security is a feature that the customer demands then it gets implemented (such as with smart meters where the customer is a utility), but when security isn't even asked about then no one bothers implementing it (home baby monitors bought at the local tech store by hipster parents).

  16. Software vulnerability, not chip vulnerability by shawn2772 · · Score: 4, Informative

    The summary isn't very clear about the nature of the problem. The CVE report is a little better. The problem is a bug in the Qualcomm "performance component", which is in a Linux kernel module. So, it's essentially a driver bug, which is nothing remotely new or surprising. The only noteworthy bit here is that it's a bug in a driver that is used on a huge number of devices, many of which aren't easy to update.

    The moral of this story is: bugs happen, updates are crucial for security.

    1. Re:Software vulnerability, not chip vulnerability by Anonymous Coward · · Score: 0

      Yes, there could not be a worse summary.
      It makes it sound as if Qualcomm HW team put in a vulnerability which is actually attributed to a API call on getting SOC information...

      Maybe someone is shorting QCA today?

      -AC4Life
       

    2. Re:Software vulnerability, not chip vulnerability by Darinbob · · Score: 1

      This is slashdot. There could easily be a worse summary.

  17. Relies on malicious code... by Anonymous Coward · · Score: 1

    Unless your IoT device allows you to install malicious software from a third party, this isn't a concern. Basically, if this exploit affects you, you probably brought it upon yourself. Doubly so if it's an IoT device.

  18. this is what happens by Anonymous Coward · · Score: 0

    this is what happens when you copy articles from Trend Micro's blog without understanding what they wrote

    1. Re:this is what happens by Anonymous Coward · · Score: 0

      Don't worry, the marketing department which wrote the article at security company did not understand what they are writing either. Most of these acts security theater are plain and only advertisement.

  19. Post Title wrong... by rthille · · Score: 1

    The post title was interesting, but wrong. The problem isn't with the SoC, but rather the implementation of Android wrt said SoC. Very different...

    --
    Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  20. Huh? by Viol8 · · Score: 1

    "ou know what? It IS damn useful to be able to look at an app on my phone while I'm out of the house, and see whether or not the doors are locked, or the outside motion-sensor lights are on"

    How about you make sure they are before you leave? Just a thought.

    "or whether there's suddenly water standing on the basement floor"

    Paranoia? Much? And what if there is - what you doing to do , rush back from work or fly back from holiday to sort it out? Too late by then anyway, damage is done.

    "or to see which cars are at home in the driveway."

    Don't you even know who lives at your house?

    You sound like the sort of person who shouldn't be let out unaccompanied frankly.