Skip to main content

Qualcomm patches major chip security flaw

(Image credit: Image Credit: Christiaan Colen / Flickr)

Qualcomm has patched a vulnerability in a few dozen chips which allowed hackers to steal sensitive information from the devices running them. The information included encryption keys and passwords, it was said.

According to the announcement (opens in new tab), the vulnerability which was given the name CVE-2018-11976 means malicious actors could track down passwords stored in a secure area of the chipset known as the Qualcomm Secure Execution Environment (QSEE).

The vulnerable chips can be found in millions of Android-powered devices like smartphone and tablets. Qualcomm has since released a patch, however the Android market is fragmented and each individual manufacturer (for example Samsung, LG or Sony) needs to patch their own devices individually.

That means there's a real risk of millions of Android devices going unprotected.

The tiny caveat with the vulnerability is that it needs root access to the device. The actual device needs to be “rooted”, which in itself is a security-risky move. Researchers argue that this vulnerability means QSEE failed to do its primary task, which is to prevent hackers from fully taking over a device.

Here’s a list of all the chips that were affected: IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130.

If you’re using a device with any of these (and chances are, you are), make sure you have the latest Android OS security patch installed.

Image Credit: Christiaan Colen / Flickr

 

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.