Qualcomm Snapdragon SoC Vulnerability Could Compromise IoT Security

Reader Mark Wilson writes: One of the greatest concerns surrounding the growth of the Internet of Things (IoT) is its security, and it seems that some people's worst fears have just been realized. Security experts at Trend Micro have discovered a vulnerability in Qualcomm Snapdragon-produced SoC (system on a chip) devices. In fact, it is the same vulnerability that cropped up earlier in the month, affecting Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates, but more concerning is the fact that the same chips are used in IoT devices. The vulnerability makes it possible for an attacker to gain root access to the hardware, and this is worrying in a world of inter-connected devices. In the interests of trying to contain the problem, Trend Micro has not revealed full details of the vulnerability but is using the issue to highlight a serious problem not just for handset owners but also for adopters of the IoT.

Completely Wrong

Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates

manishs, WTF is wrong with you. Didn't you even read the submission? This is outright wrong.

awful article

[ico2]

What a terrible article. For two reasons:

1. Isn't at all clear on what the vulnerability is. It is in fact a bug in the kernel (presumably a device driver for this SoC). I only found this out by reading a different article. This one makes it sound like some sort of problem in the silicon.

2. Isn't news. This vulnerability is already known.

We're all becoming sadly more and more used to articles that try to make a story sound bigger by relating it tenuously to some possible impact (every article about some incremental improvement in battery technology needs 4 paragraphs about electric cars, grid storage and longer battery life for phones), but this really does take the piss by not even attempting to cover the actual story and only going on about the potential impact on IoT security.

Sure, we all need to be aware of the dangers of IoT security (or lack of it), but this is not the way to go about it.

Re:A world of interconnected devices?

[ScentCone]

You know what? It IS damn useful to be able to look at an app on my phone while I'm out of the house, and see whether or not the doors are locked, or the outside motion-sensor lights are on, or whether there's suddenly water standing on the basement floor, or if the temperature and humidity in the house has suddenly gone way out of bounds. It's really damn nice to be able to fire up that app and get a real-time look at the dog-cam, or to see which cars are at home in the driveway.

I do all of this in my router's DMZ.

It's not about being too lazy to walk into the next room to flip a switch.

Software vulnerability, not chip vulnerability

[shawn2772]

The summary isn't very clear about the nature of the problem. The CVE report is a little better. The problem is a bug in the Qualcomm "performance component", which is in a Linux kernel module. So, it's essentially a driver bug, which is nothing remotely new or surprising. The only noteworthy bit here is that it's a bug in a driver that is used on a huge number of devices, many of which aren't easy to update.

The moral of this story is: bugs happen, updates are crucial for security.