Qualcomm Snapdragon SoC Vulnerability Could Compromise IoT Security (betanews.com) 57
Reader Mark Wilson writes: One of the greatest concerns surrounding the growth of the Internet of Things (IoT) is its security, and it seems that some people's worst fears have just been realized. Security experts at Trend Micro have discovered a vulnerability in Qualcomm Snapdragon-produced SoC (system on a chip) devices. In fact, it is the same vulnerability that cropped up earlier in the month, affecting Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates, but more concerning is the fact that the same chips are used in IoT devices. The vulnerability makes it possible for an attacker to gain root access to the hardware, and this is worrying in a world of inter-connected devices. In the interests of trying to contain the problem, Trend Micro has not revealed full details of the vulnerability but is using the issue to highlight a serious problem not just for handset owners but also for adopters of the IoT.
Completely Wrong (Score:4, Informative)
Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates
manishs, WTF is wrong with you. Didn't you even read the submission? This is outright wrong.
Re: (Score:3)
Indeed, all mentioned devices are still getting both OS updates and updates via Play that can mitigate this vulnerability.
Re: (Score:2)
It's not just that, I was clickbaited into reading the article and its linked article and another linked article trying to track down what a vuln in a "Qualcomm Snapdragon SoC" is, when it has nothing to do with the Snapdragon, it's just some Android vulns. The same software could be running on a 6502 and it'd have the problem. Conversely, a Snapdragon running anything other than the appropriate version of Android is fine.
So "Qualcomm Snapdragon SoC Vulnerability Could Compromise IoT Security" should real
So what you are saying is (Score:3)
IoT devices may end up creating vulnerabilities in your otherwise secure network?
Say it ain't so...
Re: (Score:2)
Those chips are for phones, most IoT devices don't use anything that large and high power. Although phones themselves are technically "IoT" devices.
A world of interconnected devices? (Score:3)
That only exists in the masturbatory fantasies of various techno-evangelist startups and large corps trying to cash in on a fad. In the real world I doubt many people want their white goods networked, or their home heating or their kettle or clothes or any of 101 other everyday objects that function perfectly well standalone and have no reason to be networked or even computerised. But where there's a sucker there's money to be made and the techno sharks are circling.
Re: (Score:2)
If I have to plug a device into the network in order to have beer fetched and poured into my mouth then SO BE IT!
Re:A world of interconnected devices? (Score:5, Informative)
I do all of this in my router's DMZ.
It's not about being too lazy to walk into the next room to flip a switch.
Re: (Score:2)
"It IS damn useful to be able to look at an app on my phone while I'm out of the house, (...) I do all of this in my router's DMZ."
Huh? What does that mean? I hope that you don't mean that all those webcams are in the DMZ, fully exposed to the internet.
Re: (Score:2)
Re: (Score:2)
I'd be okay with read-only things, but I'll never allow connected devices to control things in my home.
Re: (Score:3)
It IS damn useful to be able to look at an app on my phone while I'm out of the house, and see whether or not the doors are locked, or the outside motion-sensor lights are on,
It's useful for you, and even more damned useful for criminal hackers.
Re: (Score:2)
Re: (Score:2)
Especially after my honey-pot has led them down there and locked them in.
Huh? (Score:2)
"ou know what? It IS damn useful to be able to look at an app on my phone while I'm out of the house, and see whether or not the doors are locked, or the outside motion-sensor lights are on"
How about you make sure they are before you leave? Just a thought.
"or whether there's suddenly water standing on the basement floor"
Paranoia? Much? And what if there is - what you doing to do , rush back from work or fly back from holiday to sort it out? Too late by then anyway, damage is done.
"or to see which cars are a
Re: (Score:2)
Re: (Score:2)
That only exists in the masturbatory fantasies of various techno-evangelist startups and large corps trying to cash in on a fad. In the real world I doubt many people want their white goods networked, or their home heating or their kettle or clothes or any of 101 other everyday objects that function perfectly well standalone and have no reason to be networked or even computerised. But where there's a sucker there's money to be made and the techno sharks are circling.
Think again.
I'm terrified of this inter-connectivity myself, but the damn devices are showing up everywhere I look. Locks on doors now have this capability. Nespresso's latest machine has an app. I do sous vide cooking...guess what, the latest immersion cooker out there, from Chef-Steps, can ONLY be controlled via a smartphone! I went to buy a new car a year ago...and I couldn't get one that wasn't a crappy econobox that DIDN'T have a network connection over cellular backhaul for telematics.
There's a tw
"IOT Security" ?????? WTF !!!! (Score:1)
If there's one thing that I absolutely *DO NOT* equate with the "Internet of Things" it's security.
All I seem to read about are devices with idiot back doors, default administrator accounts/passwords etc. It's just like the people creating this crap have been asleep for the last 30 years worth of internet hacking.
It's all rather sad really as there's no way in hell I'm putting any of these devices into my home.
Re: (Score:2)
It's all rather sad really as there's no way in hell I'm putting any of these devices into my home.
If you do put any of these devices into your home . . . it won't be your home for much longer.
Re: (Score:2)
Some asshole put my home on bittorrent!
Re: (Score:2)
I work on IoT devices. Security is always a concern. Just because some stupid consumer oriented device does not care about security does not mean that the professionals aren't concerned.
Snapdragon is not a cheap chip (Score:2)
Re: (Score:2)
Yes, I call bullshit on the IoT angle.
With all the hype on rPI 3, Qualcomm chooses *not* to compete in the hobbyist market (cheapest Inforce dev board is $126).
From the horses mouth (Score:2)
The real link is Android Vulnerabilities Allow For Easy Root Access [trendmicro.com]
And from that link:
Using these two exploits, one can gain root access on a Snapdragon-powered Android device.
So the click bait headline is that. Click bait. A more correct headline would mention that it is the combination of Snapdragon and Android.
Nexus phones recieve monthly updates (Score:1)
Not sure where the author got his info. Nexus phones still receive monthly security updates directly from Google.
What happens when the clueless do design (Score:3)
They really tout the Snapdragon as an IoT device? Well, seems so:
https://developer.qualcomm.com... [qualcomm.com]
I think these people need to realise that either;
(a) Your idiot - sorry "IoT" - device is a simple, locked down fairly "dumb" thing that is secured by design, or
(b) It's a fully-functional computer with a sophisticated OS that presents the same attack surface as a Mac, Windows or Linux box but, unfortunately, without the same knowledge base. i.e. You're going to have to throw serious resources at the thing to make it "secure".
For a device that will retail for a few bucks....
Google struggle to do it for Android; what's the betting that these things will continue to be buggy and insecure as hell?
Re: (Score:2)
There's probably some trusting of the hardware that gets in the way too. Hardware says they have secure key storage, so you design with the feature in mind. Later on it turns out the key storage isn't so secure. A full OS like Android should presumably not be dependent upon one chip vendor's features. And yet it happens anyway.
awful article (Score:5, Informative)
1. Isn't at all clear on what the vulnerability is. It is in fact a bug in the kernel (presumably a device driver for this SoC). I only found this out by reading a different article. This one makes it sound like some sort of problem in the silicon.
2. Isn't news. This vulnerability is already known.
We're all becoming sadly more and more used to articles that try to make a story sound bigger by relating it tenuously to some possible impact (every article about some incremental improvement in battery technology needs 4 paragraphs about electric cars, grid storage and longer battery life for phones), but this really does take the piss by not even attempting to cover the actual story and only going on about the potential impact on IoT security.
Sure, we all need to be aware of the dangers of IoT security (or lack of it), but this is not the way to go about it.
Re: (Score:2)
It's slashdot. We have a periodic timer that goes off to post "Dangers With IoT!" stories. This time it just happens to not be Timothy.
Re: (Score:2)
Not me, I'm so lonely I need a talking toaster giving me suggestion what to eat...
https://www.youtube.com/watch?... [youtube.com]
Hilariously Broken (Score:2)
http://arstechnica.com/securit... [arstechnica.com]
Being that people have been claiming nobody is paying attention to IoT security, it reminds me of Clark's first Law
"When a distinguished but elderly scientist states that something is possible, he is almost certainly right."
Re: (Score:2)
The problem is that IoT covers a range of product. That web article is a mixture of some truth which is used to create hysteria. It claims that there's a minimum amount of work necessary to create a viable product for the consumer. This is true, but everyone knows about this already. What is happening is that they're looking at the worst of the worst products and claiming that all of IoT is this way. I would never myself use any consumer grade IoT device (except for phones, and I barely tolerate them a
Software vulnerability, not chip vulnerability (Score:5, Informative)
The summary isn't very clear about the nature of the problem. The CVE report [nist.gov] is a little better. The problem is a bug in the Qualcomm "performance component", which is in a Linux kernel module. So, it's essentially a driver bug, which is nothing remotely new or surprising. The only noteworthy bit here is that it's a bug in a driver that is used on a huge number of devices, many of which aren't easy to update.
The moral of this story is: bugs happen, updates are crucial for security.
Re: (Score:2)
This is slashdot. There could easily be a worse summary.
Relies on malicious code... (Score:1)
Unless your IoT device allows you to install malicious software from a third party, this isn't a concern. Basically, if this exploit affects you, you probably brought it upon yourself. Doubly so if it's an IoT device.
Post Title wrong... (Score:2)
The post title was interesting, but wrong. The problem isn't with the SoC, but rather the implementation of Android wrt said SoC. Very different...