Menu
Qualcomm-powered Android devices plagued by four rooting flaws

Qualcomm-powered Android devices plagued by four rooting flaws

Qualcomm has released patches for the flaws, but Google included only three of them in its Android security updates so far

Hundreds of millions of Android devices based on Qualcomm chipsets are likely exposed to at least one of four critical vulnerabilities that allow non-privileged apps to take them over.

The four flaws were presented by security researcher Adam Donenfeld from Check Point Software Technologies on Sunday at the DEF CON security conference in Las Vegas. They were reported to Qualcomm between February and April, and the chipset maker has since released fixes for the vulnerabilities after classifying them as high severity.

Unfortunately, that doesn’t mean that all devices are yet protected. Due to the fragmentation of the Android ecosystem, many devices run older Android versions and no longer receive firmware updates, or they receive the fixes with months-long delays.

Not even Google, which releases security patches for its Nexus line of Android phones and tablets on a monthly basis, has fixed all the flaws.

The vulnerabilities have collectively been dubbed QuadRooter because if exploited, they provide attackers with root privileges -- the highest privileges on a Linux-based system like Android. Individually they’re tracked as CVE-2016-2059, CVE-2016-2503 and CVE-2016-2504 and CVE-2016-5340, and they’re located in various drivers that are provided by Qualcomm to device manufacturers.

Qualcomm released patches for these vulnerabilities to customers and partners between April and July, said Alex Gantman, vice president of engineering for the Qualcomm Product Security Initiative, in an emailed statement.

Meanwhile, Google has distributed only three of these patches so far through its monthly Android security bulletins for Nexus devices. The security updates released by Google are shared with phone manufacturers in advance and are also published to the Android Open Source Project (AOSP).

Devices running Android 6.0 (Marshmallow) with a patch level of Aug. 5 should be protected against the CVE-2016-2059, CVE-2016-2503, and CVE-2016-2504 flaws. Android devices running 4.4.4 (KitKat), 5.0.2 and 5.1.1 (Lollipop) that include the Aug. 5 patches should also have the CVE-2016-2503 and CVE-2016-2504 patches, but would be vulnerable to a version of the CVE-2016-2059 exploit that Google has flagged as low severity due to existing mitigations.

The fourth vulnerability, CVE-2016-5340, remains unpatched by Google, but device manufacturers could obtain the fix for it directly from Qualcomm's Code Aurora open-source project.

"This flaw will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided," a Google representative said via email. Exploiting any of these four vulnerabilities would involve users downloading malicious applications, Google said.

"Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these," the representative added.

It's true that exploiting the flaws can only be done through rogue applications and not directly through remote attack vectors like browsing, email or SMS, but those malicious applications would not require any privileges, according to Check Point.

Check Point's researchers and Google have disagreed about the severity of CVE-2016-2059. While Qualcomm rated the flaw as high severity, Google rated it as low severity because it said it can be mitigated through SELinux.

SELinux is a kernel extension that makes exploitation of certain vulnerabilities much harder by enforcing access controls. The mechanism was used to enforce application sandbox boundaries starting with Android 4.3 (Jelly Bean).

Check Point doesn't agree with Google's assessment that SELinux mitigates this flaw. During Donenfeld's talk at DEF CON, he showed how the CVE-2016-2059 exploit can switch SELinux from enforcing to permissive mode, effectively disabling its protection.

It's hard to identify which devices are vulnerable because some manufacturers might wait for Google to release the missing patch before issuing their own firmware updates, while others might take it directly from Qualcomm. To help identify vulnerable devices, Check Point released a free application called QuadRooter Scanner on Google Play that allows users to check if their devices are affected by any of the four flaws.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags black hat

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments