(no title)
intsunny | 1 year ago
> It took less than 3 months of research to discover 6 separate bugs in the adsprpc driver, two of which (CVE-2024-49848 and CVE-2024-21455) were not fixed by Qualcomm under the industry standard 90-day deadline. Furthermore, at the time of writing, CVE-2024-49848 remains unfixed 145 days after it was reported. Past research has shown that chipset drivers for Android are a promising target for attackers, and this ITW exploit represents a meaningful real-world example of the negative ramifications that the current third-party vendor driver security posture poses to end-users. A system’s cybersecurity is only as strong as its weakest link, and chipset/GPU drivers represent one of the weakest links for privilege separation on Android in 2024. Improving both the consistency and quality of code and the efficiency of the third-party vendor driver patch dissemination process are crucial next steps in order to increase the difficulty of privilege escalation on Android devices.
Does this mean the vast majority of Android users (who are on Qualcomm chipsets) are vulnerable to these zero day attacks?
Rygian|1 year ago
mschuster91|1 year ago
The problem is multifold:
- RF of any kind is extremely complex
- RF of any kind that is to be certified in virtually all countries on this rock, with providers with infrastructure from 2G shit that never got upgraded since the 90s to hyper-modern OpenRAN is even more complex simply due to all the cert and testing effort required
- making that RF stuff power efficient is the utter end game
- mobile communications standards on their own are a horrid, horrid mess to implement, not made easier by some of the specs being decades old and never intended to coexist in a world where a single device can run 30 gigabit a second...
- patents, so many patents, because of course it's a global standard that a) isn't open and b) everyone and their dog wants to profit off of
- on top of that come legal aspects: not just the certification requirements, but also lawful intercept and stealth ping stuff, or having to secure the device so that enterprising hackers can't readily turn it into an SDR, jammer or sniffer...
[1] https://www.eand.com/en/news/13-may-eand-uae-sets-new-record...
mikaraento|1 year ago
Both on these TPUs as well as on pre-Tensor hardware that had Qualcomm DSPs, Pixels would not allow apps access to the kernel interfaces. Access would be blocked or mediated via a separate service process ('binderized HAL').
(Some) OEMs have repeatedly opened access to these kernel interfaces in order to trade security for performance.
(I used to work on compute offload at Google).
rickdeckard|1 year ago
fidotron|1 year ago
If not these precise ones, related ones yes. Certain chip vendors are notorious for not providing fixes of this kind to the manufacturers to roll out (maybe doing so selectively based on who they're extra special buddies with), if they ever even made them at all before moving on to the next shiny SoC.
The other side of this is Google never met a security problem that isn't solved by further coupling the system to their cloud, especially for updates. Coincidence?
rickdeckard|1 year ago
Never heard that before. Chipset vendors are under maintenance contracts with their customers, so they are actually PAID to provide fixes especially for CVE's. Manufacturers on the other hand have little to no recurring revenue from a device which could finance to implement, test and rollout each patch.
Care to provide a concrete example for your claim?, especially for this "extra special buddies" suggestion which insinuates that a chipset vendor developed a patch and still doesn't provide it to all its customers...?