Slashdot Mirror

← Back to Stories (view on slashdot.org)

Qualcomm Snapdragon SoC Vulnerability Could Compromise IoT Security (betanews.com)

Posted by msmash on from the internet-of-vulnerable-things dept.

Reader Mark Wilson writes: One of the greatest concerns surrounding the growth of the Internet of Things (IoT) is its security, and it seems that some people's worst fears have just been realized. Security experts at Trend Micro have discovered a vulnerability in Qualcomm Snapdragon-produced SoC (system on a chip) devices. In fact, it is the same vulnerability that cropped up earlier in the month, affecting Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates, but more concerning is the fact that the same chips are used in IoT devices. The vulnerability makes it possible for an attacker to gain root access to the hardware, and this is worrying in a world of inter-connected devices. In the interests of trying to contain the problem, Trend Micro has not revealed full details of the vulnerability but is using the issue to highlight a serious problem not just for handset owners but also for adopters of the IoT.

9 of 57 comments (clear)

  1. Completely Wrong by Anonymous Coward · · Score: 4, Informative

    Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates

    manishs, WTF is wrong with you. Didn't you even read the submission? This is outright wrong.

    1. Re:Completely Wrong by AmiMoJo · · Score: 2

      Indeed, all mentioned devices are still getting both OS updates and updates via Play that can mitigate this vulnerability.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. So what you are saying is by The-Ixian · · Score: 2

    IoT devices may end up creating vulnerabilities in your otherwise secure network?

    Say it ain't so...

    --
    My eyes reflect the stars and a smile lights up my face.
  3. A world of interconnected devices? by Viol8 · · Score: 2

    That only exists in the masturbatory fantasies of various techno-evangelist startups and large corps trying to cash in on a fad. In the real world I doubt many people want their white goods networked, or their home heating or their kettle or clothes or any of 101 other everyday objects that function perfectly well standalone and have no reason to be networked or even computerised. But where there's a sucker there's money to be made and the techno sharks are circling.

    1. Re:A world of interconnected devices? by ScentCone · · Score: 4, Informative

      You know what? It IS damn useful to be able to look at an app on my phone while I'm out of the house, and see whether or not the doors are locked, or the outside motion-sensor lights are on, or whether there's suddenly water standing on the basement floor, or if the temperature and humidity in the house has suddenly gone way out of bounds. It's really damn nice to be able to fire up that app and get a real-time look at the dog-cam, or to see which cars are at home in the driveway.

      I do all of this in my router's DMZ.

      It's not about being too lazy to walk into the next room to flip a switch.

      --
      Don't disappoint your bird dog. Go to the range.
    2. Re:A world of interconnected devices? by Waffle+Iron · · Score: 2

      It IS damn useful to be able to look at an app on my phone while I'm out of the house, and see whether or not the doors are locked, or the outside motion-sensor lights are on,

      It's useful for you, and even more damned useful for criminal hackers.

  4. What happens when the clueless do design by Bearhouse · · Score: 2

    They really tout the Snapdragon as an IoT device? Well, seems so:

    https://developer.qualcomm.com...

    I think these people need to realise that either;

    (a) Your idiot - sorry "IoT" - device is a simple, locked down fairly "dumb" thing that is secured by design, or
    (b) It's a fully-functional computer with a sophisticated OS that presents the same attack surface as a Mac, Windows or Linux box but, unfortunately, without the same knowledge base. i.e. You're going to have to throw serious resources at the thing to make it "secure".
    For a device that will retail for a few bucks....
    Google struggle to do it for Android; what's the betting that these things will continue to be buggy and insecure as hell?

  5. awful article by ico2 · · Score: 5, Informative

    What a terrible article. For two reasons:

    1. Isn't at all clear on what the vulnerability is. It is in fact a bug in the kernel (presumably a device driver for this SoC). I only found this out by reading a different article. This one makes it sound like some sort of problem in the silicon.

    2. Isn't news. This vulnerability is already known.

    We're all becoming sadly more and more used to articles that try to make a story sound bigger by relating it tenuously to some possible impact (every article about some incremental improvement in battery technology needs 4 paragraphs about electric cars, grid storage and longer battery life for phones), but this really does take the piss by not even attempting to cover the actual story and only going on about the potential impact on IoT security.

    Sure, we all need to be aware of the dangers of IoT security (or lack of it), but this is not the way to go about it.

  6. Software vulnerability, not chip vulnerability by shawn2772 · · Score: 4, Informative

    The summary isn't very clear about the nature of the problem. The CVE report is a little better. The problem is a bug in the Qualcomm "performance component", which is in a Linux kernel module. So, it's essentially a driver bug, which is nothing remotely new or surprising. The only noteworthy bit here is that it's a bug in a driver that is used on a huge number of devices, many of which aren't easy to update.

    The moral of this story is: bugs happen, updates are crucial for security.