Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security Software

Qualcomm Snapdragon SoC Vulnerability Could Compromise IoT Security (betanews.com) 57

Reader Mark Wilson writes: One of the greatest concerns surrounding the growth of the Internet of Things (IoT) is its security, and it seems that some people's worst fears have just been realized. Security experts at Trend Micro have discovered a vulnerability in Qualcomm Snapdragon-produced SoC (system on a chip) devices. In fact, it is the same vulnerability that cropped up earlier in the month, affecting Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates, but more concerning is the fact that the same chips are used in IoT devices. The vulnerability makes it possible for an attacker to gain root access to the hardware, and this is worrying in a world of inter-connected devices. In the interests of trying to contain the problem, Trend Micro has not revealed full details of the vulnerability but is using the issue to highlight a serious problem not just for handset owners but also for adopters of the IoT.
This discussion has been archived. No new comments can be posted.

Qualcomm Snapdragon SoC Vulnerability Could Compromise IoT Security

Comments Filter:
  • Completely Wrong (Score:4, Informative)

    by Anonymous Coward on Tuesday March 15, 2016 @12:04PM (#51700671)

    Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates

    manishs, WTF is wrong with you. Didn't you even read the submission? This is outright wrong.

    • by AmiMoJo ( 196126 )

      Indeed, all mentioned devices are still getting both OS updates and updates via Play that can mitigate this vulnerability.

    • It's not just that, I was clickbaited into reading the article and its linked article and another linked article trying to track down what a vuln in a "Qualcomm Snapdragon SoC" is, when it has nothing to do with the Snapdragon, it's just some Android vulns. The same software could be running on a 6502 and it'd have the problem. Conversely, a Snapdragon running anything other than the appropriate version of Android is fine.

      So "Qualcomm Snapdragon SoC Vulnerability Could Compromise IoT Security" should real

  • by The-Ixian ( 168184 ) on Tuesday March 15, 2016 @12:10PM (#51700697)

    IoT devices may end up creating vulnerabilities in your otherwise secure network?

    Say it ain't so...

    • Those chips are for phones, most IoT devices don't use anything that large and high power. Although phones themselves are technically "IoT" devices.

  • by Viol8 ( 599362 ) on Tuesday March 15, 2016 @12:10PM (#51700699) Homepage

    That only exists in the masturbatory fantasies of various techno-evangelist startups and large corps trying to cash in on a fad. In the real world I doubt many people want their white goods networked, or their home heating or their kettle or clothes or any of 101 other everyday objects that function perfectly well standalone and have no reason to be networked or even computerised. But where there's a sucker there's money to be made and the techno sharks are circling.

    • If I have to plug a device into the network in order to have beer fetched and poured into my mouth then SO BE IT!

    • by Shoten ( 260439 )

      That only exists in the masturbatory fantasies of various techno-evangelist startups and large corps trying to cash in on a fad. In the real world I doubt many people want their white goods networked, or their home heating or their kettle or clothes or any of 101 other everyday objects that function perfectly well standalone and have no reason to be networked or even computerised. But where there's a sucker there's money to be made and the techno sharks are circling.

      Think again.

      I'm terrified of this inter-connectivity myself, but the damn devices are showing up everywhere I look. Locks on doors now have this capability. Nespresso's latest machine has an app. I do sous vide cooking...guess what, the latest immersion cooker out there, from Chef-Steps, can ONLY be controlled via a smartphone! I went to buy a new car a year ago...and I couldn't get one that wasn't a crappy econobox that DIDN'T have a network connection over cellular backhaul for telematics.

      There's a tw

  • by Anonymous Coward

    If there's one thing that I absolutely *DO NOT* equate with the "Internet of Things" it's security.

    All I seem to read about are devices with idiot back doors, default administrator accounts/passwords etc. It's just like the people creating this crap have been asleep for the last 30 years worth of internet hacking.

    It's all rather sad really as there's no way in hell I'm putting any of these devices into my home.

    • It's all rather sad really as there's no way in hell I'm putting any of these devices into my home.

      If you do put any of these devices into your home . . . it won't be your home for much longer.

    • I work on IoT devices. Security is always a concern. Just because some stupid consumer oriented device does not care about security does not mean that the professionals aren't concerned.

  • It's Qualcomm's top of the line chip. I don't know what they sell for but my WAG would be at least $20. Kinda hard to justify spending $20 on a CPU for your IoT device you plan to sell for $100.
    • Yes, I call bullshit on the IoT angle.

      With all the hype on rPI 3, Qualcomm chooses *not* to compete in the hobbyist market (cheapest Inforce dev board is $126).

  • The real link is Android Vulnerabilities Allow For Easy Root Access [trendmicro.com]

    And from that link:

    Using these two exploits, one can gain root access on a Snapdragon-powered Android device.

    So the click bait headline is that. Click bait. A more correct headline would mention that it is the combination of Snapdragon and Android.

  • by Anonymous Coward

    Not sure where the author got his info. Nexus phones still receive monthly security updates directly from Google.

  • by Bearhouse ( 1034238 ) on Tuesday March 15, 2016 @12:32PM (#51700857)

    They really tout the Snapdragon as an IoT device? Well, seems so:

    https://developer.qualcomm.com... [qualcomm.com]

    I think these people need to realise that either;

    (a) Your idiot - sorry "IoT" - device is a simple, locked down fairly "dumb" thing that is secured by design, or
    (b) It's a fully-functional computer with a sophisticated OS that presents the same attack surface as a Mac, Windows or Linux box but, unfortunately, without the same knowledge base. i.e. You're going to have to throw serious resources at the thing to make it "secure".
    For a device that will retail for a few bucks....
    Google struggle to do it for Android; what's the betting that these things will continue to be buggy and insecure as hell?

    • There's probably some trusting of the hardware that gets in the way too. Hardware says they have secure key storage, so you design with the feature in mind. Later on it turns out the key storage isn't so secure. A full OS like Android should presumably not be dependent upon one chip vendor's features. And yet it happens anyway.

  • awful article (Score:5, Informative)

    by ico2 ( 817589 ) <ico2ico2 AT gmail DOT com> on Tuesday March 15, 2016 @12:35PM (#51700881)
    What a terrible article. For two reasons:

    1. Isn't at all clear on what the vulnerability is. It is in fact a bug in the kernel (presumably a device driver for this SoC). I only found this out by reading a different article. This one makes it sound like some sort of problem in the silicon.

    2. Isn't news. This vulnerability is already known.

    We're all becoming sadly more and more used to articles that try to make a story sound bigger by relating it tenuously to some possible impact (every article about some incremental improvement in battery technology needs 4 paragraphs about electric cars, grid storage and longer battery life for phones), but this really does take the piss by not even attempting to cover the actual story and only going on about the potential impact on IoT security.

    Sure, we all need to be aware of the dangers of IoT security (or lack of it), but this is not the way to go about it.
    • It's slashdot. We have a periodic timer that goes off to post "Dangers With IoT!" stories. This time it just happens to not be Timothy.

  • An article in ARS Techica calls security in IoT hilariously broken and getting worse.

    http://arstechnica.com/securit... [arstechnica.com]

    Being that people have been claiming nobody is paying attention to IoT security, it reminds me of Clark's first Law
    "When a distinguished but elderly scientist states that something is possible, he is almost certainly right."
    • The problem is that IoT covers a range of product. That web article is a mixture of some truth which is used to create hysteria. It claims that there's a minimum amount of work necessary to create a viable product for the consumer. This is true, but everyone knows about this already. What is happening is that they're looking at the worst of the worst products and claiming that all of IoT is this way. I would never myself use any consumer grade IoT device (except for phones, and I barely tolerate them a

  • by Shawn Willden ( 2914343 ) on Tuesday March 15, 2016 @01:14PM (#51701207)

    The summary isn't very clear about the nature of the problem. The CVE report [nist.gov] is a little better. The problem is a bug in the Qualcomm "performance component", which is in a Linux kernel module. So, it's essentially a driver bug, which is nothing remotely new or surprising. The only noteworthy bit here is that it's a bug in a driver that is used on a huge number of devices, many of which aren't easy to update.

    The moral of this story is: bugs happen, updates are crucial for security.

  • by Anonymous Coward

    Unless your IoT device allows you to install malicious software from a third party, this isn't a concern. Basically, if this exploit affects you, you probably brought it upon yourself. Doubly so if it's an IoT device.

  • The post title was interesting, but wrong. The problem isn't with the SoC, but rather the implementation of Android wrt said SoC. Very different...

If you are smart enough to know that you're not smart enough to be an Engineer, then you're in Business.

Working...