A flaw in the chipsets provided by Qualcomm exposes the users’ personal and sensitive information to possible attackers, a new study found out.
The people over at Check Point Research discovered this flaw in Qualcomm’s chipsets. Specifically, the flaw exists in Qualcomm’s Secure Execution Environment (QSEE), an implementation of Trusted Execution Environment (TEE) based on ARM TrustZone technology.
Qualcomm Secure World, or QSEE, is what was supposed to be a secure area in the chipset that stores the most sensitive of data in a device. This is a hardware-protected area and information such as encryption keys, passwords, account information, credit card and other payment form credentials, can be found in this part of the chipset.
In their research, Check Point performed the testing on trusted Qualcomm code on LG, Motorola and Samsung smartphones using a tool they made specifically for the situation. The test yielded results that show vulnerabilities that hackers and coders can exploit in order to gain access to personal and sensitive information of users in their devices.
With this flaw, a successful attacker would be able to access an infiltrated device and they would be able to run trusted apps in the Normal World, or the core Android operating system, load the patched trusted app into the Secure World, and bypass the Qualcomm’s Chain Of Trust, among others.
Simply put, security and safety are indeed at risk.
Qualcomm, however, responded that this is old news and the flaw has been dealt with already in past updates.
“Providing technologies that support robust security and privacy is a priority for Qualcomm,” a Qualcomm spokesperson told The Inquirer. “The vulnerabilities publicized by Check Point have been patched, one in early October 2019 and the other in November 2014. We have seen no reports of active exploitation, though we encourage end-users to update their devices with patches available from OEMs.”
Users must make sure that they have applied this fix to heir devices though. To do that, they have to simply make sure that their device is currently updated to the latest version of both the firmware as well as complete in all of the latest security patches.