Menu
Qualcomm-powered Android devices plagued by four rooting flaws

Qualcomm-powered Android devices plagued by four rooting flaws

Qualcomm has released patches for the flaws, but Google included only three of them in its Android security updates so far

Hundreds of millions of Android devices based on Qualcomm chipsets are likely exposed to at least one of four critical vulnerabilities that allow non-privileged apps to take them over.

The four flaws were presented by security researcher Adam Donenfeld from Check Point Software Technologies on Sunday at the DEF CON security conference in Las Vegas. They were reported to Qualcomm between February and April, and the chipset maker has since released fixes for the vulnerabilities after classifying them as high severity.

Unfortunately, that doesn’t mean that all devices are yet protected. Due to the fragmentation of the Android ecosystem, many devices run older Android versions and no longer receive firmware updates, or they receive the fixes with months-long delays.

Not even Google, which releases security patches for its Nexus line of Android phones and tablets on a monthly basis, has fixed all the flaws.

The vulnerabilities have collectively been dubbed QuadRooter because if exploited, they provide attackers with root privileges -- the highest privileges on a Linux-based system like Android. Individually they’re tracked as CVE-2016-2059, CVE-2016-2503 and CVE-2016-2504 and CVE-2016-5340, and they’re located in various drivers that are provided by Qualcomm to device manufacturers.

Qualcomm released patches for these vulnerabilities to customers and partners between April and July, said Alex Gantman, vice president of engineering for the Qualcomm Product Security Initiative, in an emailed statement.

Meanwhile, Google has distributed only three of these patches so far through its monthly Android security bulletins for Nexus devices. The security updates released by Google are shared with phone manufacturers in advance and are also published to the Android Open Source Project (AOSP).

Devices running Android 6.0 (Marshmallow) with a patch level of Aug. 5 should be protected against the CVE-2016-2059, CVE-2016-2503, and CVE-2016-2504 flaws. Android devices running 4.4.4 (KitKat), 5.0.2 and 5.1.1 (Lollipop) that include the Aug. 5 patches should also have the CVE-2016-2503 and CVE-2016-2504 patches, but would be vulnerable to a version of the CVE-2016-2059 exploit that Google has flagged as low severity due to existing mitigations.

The fourth vulnerability, CVE-2016-5340, remains unpatched by Google, but device manufacturers could obtain the fix for it directly from Qualcomm's Code Aurora open-source project.

"This flaw will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided," a Google representative said via email. Exploiting any of these four vulnerabilities would involve users downloading malicious applications, Google said.

"Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these," the representative added.

It's true that exploiting the flaws can only be done through rogue applications and not directly through remote attack vectors like browsing, email or SMS, but those malicious applications would not require any privileges, according to Check Point.

Check Point's researchers and Google have disagreed about the severity of CVE-2016-2059. While Qualcomm rated the flaw as high severity, Google rated it as low severity because it said it can be mitigated through SELinux.

SELinux is a kernel extension that makes exploitation of certain vulnerabilities much harder by enforcing access controls. The mechanism was used to enforce application sandbox boundaries starting with Android 4.3 (Jelly Bean).

Check Point doesn't agree with Google's assessment that SELinux mitigates this flaw. During Donenfeld's talk at DEF CON, he showed how the CVE-2016-2059 exploit can switch SELinux from enforcing to permissive mode, effectively disabling its protection.

It's hard to identify which devices are vulnerable because some manufacturers might wait for Google to release the missing patch before issuing their own firmware updates, while others might take it directly from Qualcomm. To help identify vulnerable devices, Check Point released a free application called QuadRooter Scanner on Google Play that allows users to check if their devices are affected by any of the four flaws.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags black hat

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments