Qualcomm Snapdragon SoC Vulnerability Could Compromise IoT Security (betanews.com)

← Back to Stories (view on slashdot.org)

Qualcomm Snapdragon SoC Vulnerability Could Compromise IoT Security (betanews.com)

Posted by msmash on Tuesday March 15, 2016 @04:01AM from the internet-of-vulnerable-things dept.

Reader Mark Wilson writes: One of the greatest concerns surrounding the growth of the Internet of Things (IoT) is its security, and it seems that some people's worst fears have just been realized. Security experts at Trend Micro have discovered a vulnerability in Qualcomm Snapdragon-produced SoC (system on a chip) devices. In fact, it is the same vulnerability that cropped up earlier in the month, affecting Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates, but more concerning is the fact that the same chips are used in IoT devices. The vulnerability makes it possible for an attacker to gain root access to the hardware, and this is worrying in a world of inter-connected devices. In the interests of trying to contain the problem, Trend Micro has not revealed full details of the vulnerability but is using the issue to highlight a serious problem not just for handset owners but also for adopters of the IoT.

36 of 57 comments (clear)

Min score:

Reason:

Sort:

Completely Wrong by Anonymous Coward · 2016-03-15 04:04 · Score: 4, Informative

Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates
manishs, WTF is wrong with you. Didn't you even read the submission? This is outright wrong.
1. Re:Completely Wrong by AmiMoJo · 2016-03-15 04:25 · Score: 2
  
  Indeed, all mentioned devices are still getting both OS updates and updates via Play that can mitigate this vulnerability.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:Completely Wrong by arglebargle_xiv · 2016-03-15 21:01 · Score: 1
  
  It's not just that, I was clickbaited into reading the article and its linked article and another linked article trying to track down what a vuln in a "Qualcomm Snapdragon SoC" is, when it has nothing to do with the Snapdragon, it's just some Android vulns. The same software could be running on a 6502 and it'd have the problem. Conversely, a Snapdragon running anything other than the appropriate version of Android is fine.
  So "Qualcomm Snapdragon SoC Vulnerability Could Compromise IoT Security" should really read "Several More Android Vulns Found, Buy a New Phone to Get Your Updated Firmware".
So what you are saying is by The-Ixian · 2016-03-15 04:10 · Score: 2

IoT devices may end up creating vulnerabilities in your otherwise secure network?
Say it ain't so...

--
My eyes reflect the stars and a smile lights up my face.
1. Re:So what you are saying is by Darinbob · 2016-03-15 08:28 · Score: 1
  
  Those chips are for phones, most IoT devices don't use anything that large and high power. Although phones themselves are technically "IoT" devices.
A world of interconnected devices? by Viol8 · 2016-03-15 04:10 · Score: 2

That only exists in the masturbatory fantasies of various techno-evangelist startups and large corps trying to cash in on a fad. In the real world I doubt many people want their white goods networked, or their home heating or their kettle or clothes or any of 101 other everyday objects that function perfectly well standalone and have no reason to be networked or even computerised. But where there's a sucker there's money to be made and the techno sharks are circling.
1. Re:A world of interconnected devices? by The-Ixian · 2016-03-15 04:17 · Score: 1
  
  If I have to plug a device into the network in order to have beer fetched and poured into my mouth then SO BE IT!
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:A world of interconnected devices? by ScentCone · 2016-03-15 04:41 · Score: 4, Informative
  
  You know what? It IS damn useful to be able to look at an app on my phone while I'm out of the house, and see whether or not the doors are locked, or the outside motion-sensor lights are on, or whether there's suddenly water standing on the basement floor, or if the temperature and humidity in the house has suddenly gone way out of bounds. It's really damn nice to be able to fire up that app and get a real-time look at the dog-cam, or to see which cars are at home in the driveway.
  
  I do all of this in my router's DMZ.
  
  It's not about being too lazy to walk into the next room to flip a switch.
  
  --
  Don't disappoint your bird dog. Go to the range.
3. Re:A world of interconnected devices? by Shoten · 2016-03-15 05:58 · Score: 1
  
  That only exists in the masturbatory fantasies of various techno-evangelist startups and large corps trying to cash in on a fad. In the real world I doubt many people want their white goods networked, or their home heating or their kettle or clothes or any of 101 other everyday objects that function perfectly well standalone and have no reason to be networked or even computerised. But where there's a sucker there's money to be made and the techno sharks are circling.
  Think again.
  I'm terrified of this inter-connectivity myself, but the damn devices are showing up everywhere I look. Locks on doors now have this capability. Nespresso's latest machine has an app. I do sous vide cooking...guess what, the latest immersion cooker out there, from Chef-Steps, can ONLY be controlled via a smartphone! I went to buy a new car a year ago...and I couldn't get one that wasn't a crappy econobox that DIDN'T have a network connection over cellular backhaul for telematics.
  There's a twitter account...a very funny one...called "Internet of Shit." It makes fun of the ridiculous ways in which this trend is going completely over the edge. But even if only half of these products get any traction, that represents an incredible degree of added attack surface to our daily lives. And it looks like there is indeed a lot of traction out there. I see things like the outcry when Google changed their calendar API...and suddenly the first-model of Samsung smart fridges couldn't do calendaring properly. Turns out that a lot of people had those fridges, as insane as they seem to be. (I just got an iPad Mini and mounted it in the kitchen...more secure, upgradeable over time, better-managed, more flexible, better-placed, and I believe it was even a lot cheaper.)
  A good way to see if you're in the movement of a trend is to look backwards. 30 years ago, nobody had a computer. 25 years ago, nobody had a network connection. 20 years ago, the lucky few had dialup Internet, and a bunch of people had "Fischer Price networking," (AOL), and while it wasn't essential, everybody knew about it and pretty much everyone wanted it. Now, most people carry a full-time networked computer in their pocket or purse. You can't job-shop effectively without going online, or having an email address. A staggering amount of individual purchasing takes place over networks using embedded devices like phones, and now entertainment is moving away from vertically-integrated institutions like cable companies to multi-vendor solutions like an ISP for data backhaul, Netflix/Pandora/Hulu/YouTube as the content distributor with tablet/phone/home computer/(Roku|AppleTV|FireTV) as the endpoint. I think I see a trend.
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
4. Re:A world of interconnected devices? by edtice1559 · 2016-03-15 06:31 · Score: 1
  
  Lights use almost no electricity these days.
5. Re:A world of interconnected devices? by hankwang · 2016-03-15 06:44 · Score: 1
  
  "It IS damn useful to be able to look at an app on my phone while I'm out of the house, (...) I do all of this in my router's DMZ."
  Huh? What does that mean? I hope that you don't mean that all those webcams are in the DMZ, fully exposed to the internet.
  
  --
  Avantslash: low-bandwidth mobile slashdot.
6. Re:A world of interconnected devices? by U2xhc2hkb3QgU3Vja3M · 2016-03-15 06:48 · Score: 1
  
  I'd be okay with read-only things, but I'll never allow connected devices to control things in my home.
7. Re:A world of interconnected devices? by Waffle+Iron · 2016-03-15 07:03 · Score: 2
  
  It IS damn useful to be able to look at an app on my phone while I'm out of the house, and see whether or not the doors are locked, or the outside motion-sensor lights are on,
  It's useful for you, and even more damned useful for criminal hackers.
8. Re:A world of interconnected devices? by ScentCone · 2016-03-15 07:34 · Score: 1
  
  No, the cams push images to a private server, and I browse there. In once case (the real-time dog cam), I had to set up a tunnel for the app, as I can't use it over my own VPN rig. This is indeed all in a state of evolution. Ideally, I'd only talk to an externally provisioned server with good security, and it in turn would talk to the house's gadgets over a carefully established VPN.
  
  --
  Don't disappoint your bird dog. Go to the range.
9. Re:A world of interconnected devices? by ScentCone · 2016-03-15 07:39 · Score: 1
  
  Yes, I suppose that they too might find it interesting to know if my basement is flooding.
  
  --
  Don't disappoint your bird dog. Go to the range.
10. Re:A world of interconnected devices? by rthille · 2016-03-15 09:51 · Score: 1
  
  Especially after my honey-pot has led them down there and locked them in.
  
  --
  Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
"IOT Security" ?????? WTF !!!! by Anonymous Coward · 2016-03-15 04:11 · Score: 1

If there's one thing that I absolutely *DO NOT* equate with the "Internet of Things" it's security.
All I seem to read about are devices with idiot back doors, default administrator accounts/passwords etc. It's just like the people creating this crap have been asleep for the last 30 years worth of internet hacking.
It's all rather sad really as there's no way in hell I'm putting any of these devices into my home.
1. Re:"IOT Security" ?????? WTF !!!! by PolygamousRanchKid+ · 2016-03-15 05:27 · Score: 1
  
  It's all rather sad really as there's no way in hell I'm putting any of these devices into my home.
  If you do put any of these devices into your home . . . it won't be your home for much longer.
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
2. Re:"IOT Security" ?????? WTF !!!! by MobileTatsu-NJG · 2016-03-15 08:14 · Score: 1
  
  Some asshole put my home on bittorrent!
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
3. Re:"IOT Security" ?????? WTF !!!! by Darinbob · 2016-03-15 08:30 · Score: 1
  
  I work on IoT devices. Security is always a concern. Just because some stupid consumer oriented device does not care about security does not mean that the professionals aren't concerned.
Snapdragon is not a cheap chip by Snotnose · 2016-03-15 04:23 · Score: 1

It's Qualcomm's top of the line chip. I don't know what they sell for but my WAG would be at least $20. Kinda hard to justify spending $20 on a CPU for your IoT device you plan to sell for $100.
1. Re:Snapdragon is not a cheap chip by ChunderDownunder · 2016-03-15 13:03 · Score: 1
  
  Yes, I call bullshit on the IoT angle.
  With all the hype on rPI 3, Qualcomm chooses *not* to compete in the hobbyist market (cheapest Inforce dev board is $126).
From the horses mouth by OzPeter · 2016-03-15 04:28 · Score: 1

The real link is Android Vulnerabilities Allow For Easy Root Access
And from that link:

Using these two exploits, one can gain root access on a Snapdragon-powered Android device.
So the click bait headline is that. Click bait. A more correct headline would mention that it is the combination of Snapdragon and Android.

--
I am Slashdot. Are you Slashdot as well?
Nexus phones recieve monthly updates by Anonymous Coward · 2016-03-15 04:31 · Score: 1

Not sure where the author got his info. Nexus phones still receive monthly security updates directly from Google.
What happens when the clueless do design by Bearhouse · 2016-03-15 04:32 · Score: 2

They really tout the Snapdragon as an IoT device? Well, seems so:
https://developer.qualcomm.com...
I think these people need to realise that either;
(a) Your idiot - sorry "IoT" - device is a simple, locked down fairly "dumb" thing that is secured by design, or
(b) It's a fully-functional computer with a sophisticated OS that presents the same attack surface as a Mac, Windows or Linux box but, unfortunately, without the same knowledge base. i.e. You're going to have to throw serious resources at the thing to make it "secure".
For a device that will retail for a few bucks....
Google struggle to do it for Android; what's the betting that these things will continue to be buggy and insecure as hell?
1. Re:What happens when the clueless do design by Darinbob · 2016-03-15 08:51 · Score: 1
  
  There's probably some trusting of the hardware that gets in the way too. Hardware says they have secure key storage, so you design with the feature in mind. Later on it turns out the key storage isn't so secure. A full OS like Android should presumably not be dependent upon one chip vendor's features. And yet it happens anyway.
awful article by ico2 · 2016-03-15 04:35 · Score: 5, Informative

What a terrible article. For two reasons:

1. Isn't at all clear on what the vulnerability is. It is in fact a bug in the kernel (presumably a device driver for this SoC). I only found this out by reading a different article. This one makes it sound like some sort of problem in the silicon.

2. Isn't news. This vulnerability is already known.

We're all becoming sadly more and more used to articles that try to make a story sound bigger by relating it tenuously to some possible impact (every article about some incremental improvement in battery technology needs 4 paragraphs about electric cars, grid storage and longer battery life for phones), but this really does take the piss by not even attempting to cover the actual story and only going on about the potential impact on IoT security.

Sure, we all need to be aware of the dangers of IoT security (or lack of it), but this is not the way to go about it.
1. Re:awful article by Darinbob · 2016-03-15 08:52 · Score: 1
  
  It's slashdot. We have a periodic timer that goes off to post "Dangers With IoT!" stories. This time it just happens to not be Timothy.
Re:I don't know about you... by Zappy · 2016-03-15 04:48 · Score: 1

Not me, I'm so lonely I need a talking toaster giving me suggestion what to eat...
https://www.youtube.com/watch?...
Hilariously Broken by sdinfoserv · 2016-03-15 05:05 · Score: 1

An article in ARS Techica calls security in IoT hilariously broken and getting worse.

http://arstechnica.com/securit...

Being that people have been claiming nobody is paying attention to IoT security, it reminds me of Clark's first Law
"When a distinguished but elderly scientist states that something is possible, he is almost certainly right."
1. Re:Hilariously Broken by Darinbob · 2016-03-15 09:00 · Score: 1
  
  The problem is that IoT covers a range of product. That web article is a mixture of some truth which is used to create hysteria. It claims that there's a minimum amount of work necessary to create a viable product for the consumer. This is true, but everyone knows about this already. What is happening is that they're looking at the worst of the worst products and claiming that all of IoT is this way. I would never myself use any consumer grade IoT device (except for phones, and I barely tolerate them and do extra configuration to increase privacy). But professional level IoT devices to tend to pay attention to security. When security is a feature that the customer demands then it gets implemented (such as with smart meters where the customer is a utility), but when security isn't even asked about then no one bothers implementing it (home baby monitors bought at the local tech store by hipster parents).
Software vulnerability, not chip vulnerability by shawn2772 · 2016-03-15 05:14 · Score: 4, Informative

The summary isn't very clear about the nature of the problem. The CVE report is a little better. The problem is a bug in the Qualcomm "performance component", which is in a Linux kernel module. So, it's essentially a driver bug, which is nothing remotely new or surprising. The only noteworthy bit here is that it's a bug in a driver that is used on a huge number of devices, many of which aren't easy to update.
The moral of this story is: bugs happen, updates are crucial for security.
1. Re:Software vulnerability, not chip vulnerability by Darinbob · 2016-03-15 09:09 · Score: 1
  
  This is slashdot. There could easily be a worse summary.
Relies on malicious code... by Anonymous Coward · 2016-03-15 05:16 · Score: 1

Unless your IoT device allows you to install malicious software from a third party, this isn't a concern. Basically, if this exploit affects you, you probably brought it upon yourself. Doubly so if it's an IoT device.
Post Title wrong... by rthille · 2016-03-15 09:55 · Score: 1

The post title was interesting, but wrong. The problem isn't with the SoC, but rather the implementation of Android wrt said SoC. Very different...

--
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Huh? by Viol8 · 2016-03-15 21:28 · Score: 1

"ou know what? It IS damn useful to be able to look at an app on my phone while I'm out of the house, and see whether or not the doors are locked, or the outside motion-sensor lights are on"
How about you make sure they are before you leave? Just a thought.
"or whether there's suddenly water standing on the basement floor"
Paranoia? Much? And what if there is - what you doing to do , rush back from work or fly back from holiday to sort it out? Too late by then anyway, damage is done.
"or to see which cars are at home in the driveway."
Don't you even know who lives at your house?
You sound like the sort of person who shouldn't be let out unaccompanied frankly.