Qualcomm-powered Android devices plagued by four rooting flaws

Qualcomm has released patches for the flaws, but Google included only three of them in its Android security updates so far

Hundreds of millions of Android devices based on Qualcomm chipsets are likely exposed to at least one of four critical vulnerabilities that allow non-privileged apps to take them over.

The four flaws were presented by security researcher Adam Donenfeld from Check Point Software Technologies on Sunday at the DEF CON security conference in Las Vegas. They were reported to Qualcomm between February and April, and the chipset maker has since released fixes for the vulnerabilities after classifying them as high severity.

Unfortunately, that doesn’t mean that all devices are yet protected. Due to the fragmentation of the Android ecosystem, many devices run older Android versions and no longer receive firmware updates, or they receive the fixes with months-long delays.

Not even Google, which releases security patches for its Nexus line of Android phones and tablets on a monthly basis, has fixed all the flaws.

The vulnerabilities have collectively been dubbed QuadRooter because if exploited, they provide attackers with root privileges -- the highest privileges on a Linux-based system like Android. Individually they’re tracked as CVE-2016-2059, CVE-2016-2503 and CVE-2016-2504 and CVE-2016-5340, and they’re located in various drivers that are provided by Qualcomm to device manufacturers.

Qualcomm released patches for these vulnerabilities to customers and partners between April and July, said Alex Gantman, vice president of engineering for the Qualcomm Product Security Initiative, in an emailed statement.

Meanwhile, Google has distributed only three of these patches so far through its monthly Android security bulletins for Nexus devices. The security updates released by Google are shared with phone manufacturers in advance and are also published to the Android Open Source Project (AOSP).

Devices running Android 6.0 (Marshmallow) with a patch level of Aug. 5 should be protected against the CVE-2016-2059, CVE-2016-2503, and CVE-2016-2504 flaws. Android devices running 4.4.4 (KitKat), 5.0.2 and 5.1.1 (Lollipop) that include the Aug. 5 patches should also have the CVE-2016-2503 and CVE-2016-2504 patches, but would be vulnerable to a version of the CVE-2016-2059 exploit that Google has flagged as low severity due to existing mitigations.

The fourth vulnerability, CVE-2016-5340, remains unpatched by Google, but device manufacturers could obtain the fix for it directly from Qualcomm's Code Aurora open-source project.

"This flaw will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided," a Google representative said via email. Exploiting any of these four vulnerabilities would involve users downloading malicious applications, Google said.

"Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these," the representative added.

It's true that exploiting the flaws can only be done through rogue applications and not directly through remote attack vectors like browsing, email or SMS, but those malicious applications would not require any privileges, according to Check Point.

Check Point's researchers and Google have disagreed about the severity of CVE-2016-2059. While Qualcomm rated the flaw as high severity, Google rated it as low severity because it said it can be mitigated through SELinux.

SELinux is a kernel extension that makes exploitation of certain vulnerabilities much harder by enforcing access controls. The mechanism was used to enforce application sandbox boundaries starting with Android 4.3 (Jelly Bean).

Check Point doesn't agree with Google's assessment that SELinux mitigates this flaw. During Donenfeld's talk at DEF CON, he showed how the CVE-2016-2059 exploit can switch SELinux from enforcing to permissive mode, effectively disabling its protection.

It's hard to identify which devices are vulnerable because some manufacturers might wait for Google to release the missing patch before issuing their own firmware updates, while others might take it directly from Qualcomm. To help identify vulnerable devices, Check Point released a free application called QuadRooter Scanner on Google Play that allows users to check if their devices are affected by any of the four flaws.

Join the CSO newsletter!

Error: Please check your email address.

Tags black hat

More about Check PointCheck Point Software TechnologiesGoogleLinuxPoint Software TechnologiesQualcommSoftware Technologies

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts