Home
Mobiles
Mobiles News
Qualcomm Patches Critical Security Flaw That Affects 46 Chipsets, but Millions of Devices Still Vulnerable

Qualcomm Patches Critical Security Flaw That Affects 46 Chipsets, but Millions of Devices Still Vulnerable

By Harpreet Singh | Updated: 26 April 2019 17:16 IST

Qualcomm has issued firmware patches earlier this month, but millions of devices are still vulnerable

Highlights

Qualcomm's chipsets had a security vulnerability which has been patched
46 Qualcomm chipsets were affected due to the security flaw
Android April 2019 security update includes a fix for the flaw

Qualcomm chipsets are used in a wide range of smartphones, tablets, and other devices. The company's chipsets power millions of devices across the world. But even the most powerful chipsets can be prone to flaws. A new vulnerability has been discovered in Qualcomm's chipsets that could allow an attacker to gain root access on the device. The flaw affects 46 Qualcomm chipsets which are currently used in several smartphones, tablets, laptops, and smartwatches.

The security bug (CVE-2018-11976) can enable an attacker to gain access to private data and even encryption keys stored in the Qualcomm Secure Execution Environment (QSEE). Qualcomm has patched the flaw earlier this month, tagging it as 'critical'.

The flaw was first discovered in March last year by Keegan Ryan, a security researcher with NCC Group, as reported by ZDNet. Ryan has also published a white paper, explaining the flaw. He claims he was able to grab private security keys using a rooted Nexus 5X smartphone.

Google has added the fix as a part of its April 2019 security patches, but Android manufacturers are known to be lazy about pushing security patches to its consumers. This means a large number of Android devices using these Qualcomm chipsets are still prone to the security vulnerability.

The Qualcomm Security Executive Environment (QSEE) offers a safe environment to process critical data including private encryption keys and passwords. Only the app that stored the data in QSEE can access it, preventing malicious apps from accessing the sensitive data.

QSEE was created to prevent anyone from gaining complete access to a device, but the latest security flaw defeats that purpose entirely. To exploit the vulnerability, an attacker needs root access on a device which isn't quite impossible.

The flaw affects popular Qualcomm chips used on smartphones such as: Snapdragon 200 series, Snapdragon 400 series, Snapdragon 625, Snapdragon 660, Snapdragon 670, Snapdragon 710, Snapdragon 820, Snapdragon 835, and Snapdragon 845. Qualcomm has listed all the affected chipsets in its security bulletin.

Ryan said he has notified Qualcomm about the flaw last year. Earlier this month, Qualcomm had patched the vulnerability and it's now up to device manufacturers to quickly deploy Google's Android April 2019 security update.

In case you own a device that uses any of these 46 affected Qualcomm chips, make sure you upgrade to the Android April 2019 security patch as soon as it's made available by your phone's manufacturer.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Qualcomm, Snapdragon, Android

Harpreet Singh

Email Harpreet

Harpreet is the community manager at Gadgets 360. He loves all things tech, and can be found hunting for good deals when he is not shopping online. He has written about deals and e-commerce in India for many years, as well as covering social media and breaking technology news. More