Android vulnerabilities evoke the same feelings as a massive data breach: an all-to-common occurrence that I might find myself part of. At least with a massive data breach I have an opportunity to cut my accounts off and cauterize the data-wound. With the latest Android bug — QuadRoot — this simply isn’t an option.
This is in no small part due to the fact the vulnerability doesn’t entirely lie with Android. No, your device has been potentially compromised by American hardware manufacturing giant Qualcomm, and their esteemed popularity as the powerhouse of choice for the myriad Android devices around the world.
This bug is slightly different to the norm. Where Android bugs usually affect a single, or small number of manufacturers using a specific set of hardware, QuadRoot is estimated to affect some 900 million Android users around the globe. That’s you, and I, and everyone you’ve ever loved.
Let’s look at what QuadRoot is, what it means for you, and just what on earth anyone is actually doing to fix it.
QuadRoot Is Big
“QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device.”
They list the four security vulnerabilities as:
- CVE-2016-2503 discovered in Qualcomm’s GPU driver and fixed in Google’s Android Security Bulletin for July 2016.
- CVE-2016-2504 found in Qualcomm GPU driver and fixed in Google’s Android Security Bulletin for August 2016.
- CVE-2016-2059 found in Qualcomm kernel module and fixed in April, though patch status is unknown.
- CVE-2016-5340 presented in Qualcomm GPU driver and fixed, but patch status unknown.
Is My Device Vulnerable?
As Qualcomm is the world’s leading designer and manufacturer of LTE (Long Term Evolution) chipsets, commanding around 65% of the LTE baseband modem market, there is a significant chance that your device will be exposed. You can check if your device is vulnerable by using the QuadRooter Scanner, developed and published by Check Point (the guys who found the vulnerability). I have a OnePlus One:
Sad times for me, indeed.
@oneplus when do you anticipate patches being released for the severe Quadroot vulnerability?
— Gazing Cyber (@gazingcyber) August 8, 2016
Am I Likely To Be Exploited?
Check Point advise that it is relatively easy to expose a device with any one of these vulnerabilities.
“An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.”
This isn’t a flaw that has been introduced by a firmware update. The vulnerability was present when your device shipped. The flaw, found in software drivers which control communication between chipset components, can realistically only be fixed by the device manufacturer through an OTA update.
Unlike last year’s Stagefright bug, QuadRoot actually requires the installation of a malicious app, likely after enabling app installations from “Unknown Sources.” As well as this, and as Google have pointed out in their statement (which you can read in the following section), Android’s “Verify App” feature is designed to protect against this exact type of vulnerability. This feature arrived with Android 4.2 Jelly Bean, and given that well over 90% of all Android devices are now running this version or later, and that this bug only affects the aforementioned chipset – I think everything will be okay.
What’s Happens Now?
Being a professional security research company, Check Point informed Qualcomm of the vulnerability months ago. As such, they have already manufacturer a chipset patch that has been rolled out to your device manufacturer. The ball now lies firmly in their court.
— Srikanth Akula (@srikie21) August 9, 2016
A number of popular device manufacturers have already taken steps to reassure their user-base. In one case, the fix has already rolled out. Here are some of the major manufacturers, and their current status.
Google has moved swiftly to protect its users.
“Android devices with our most recent security patch level are already protected against three of these four vulnerabilities. The fourth vulnerability, CVE-2016-5340, will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided.”
As the core developers behind Android, Google were also keen to highlight the other security measures already in place for Android devices.
“Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these.”
Popular Devices: Nexus 5X, Nexus 6, Nexus 6P
As I mentioned above, one manufacturer had already rolled the fix out to it users. Kudos and praises be heaped upon handset manufacturing stalwarts, Blackberry.
“Three of the four vulnerabilities have already been fixed on PRIV devices with the August Marshmallow patch and on all DTEK50 devices. In addition, the secure boot chain present in all BlackBerry devices naturally mitigates the remaining issue. We’re not aware of any exploits for this vulnerability in the wild and we don’t think any customers are currently at risk from this issue.”
Popular Device: Blackberry Priv
Sony is working toward making the patches available for their Qualcomm devices.
“Sony Mobile takes the security and privacy of customer data very seriously. We are aware of the ‘QuadRooter’ vulnerability, and are working to make the security patches available within normal and regular software maintenance, both directly to open-market devices and via our carrier partners, so timings can vary by region and/or operator.”
Popular Device: Sony Xperia Z Ultra
Motorola are another manufacturer able to provide good news.
“Recently a potential security vulnerability, Quadrooter was discovered in certain Android devices. This potential vulnerability can only be exploited if a user disables the built in Android security measure and downloads a malicious application. For more information on how to ensure this is disabled, this link is helpful for consumers.”
Popular Device: Moto X
HTC have been somewhat quiet regarding QuadRoot, considering at least two of their devices are at risk of exposure.
“HTC takes customer security very seriously. We are aware of these reports and are investigating them.”
Popular Devices: HTC 10, HTC One M9
OnePlus has made contingency plans to include the QuadRoot update in its next patch.
“Security is a top priority for OnePlus. The relevant security patches will be included in the next OTAs (Over The Air updates) for all OnePlus devices.”
There has been no official statement from Samsung as yet.
Popular Devices: Galaxy S7, Galaxy S7 Edge
Again, there has been no official statement from LG as yet.
Popular Devices: LG G5, LG G4, LG V10
Time To Worry?
As with most security vulnerabilities, you have to remain vigilant. These vulnerabilities exist, but unless you download an app with the corresponding malicious code, you’re unlikely to find your device compromised.
The Google Play Store contains many millions of applications; the app containing malicious code designed to exploit these particular bugs could be anyone of them. As such, remain alert. Check feedback. Cross-check developer and publisher information. Look at download figures. Consider common scams. Don’t download ridiculous apps that offer to turn your phone into something it isn’t.
You should manage to evade any potential malefactors before your device manufacturer releases the patches to bring your security up to scratch. However, this latest bug yet again highlights the inherent risks present throughout the Android security model. Unlike Apple, who can simply develop a patch and rollout to their hundreds of millions of users, critical Android security patches have to pass through the entire supply chain of each manufacturer before reaching the users they’re designed to help.
I love Android, and will absolutely continue using it, but as a user, you must remain on guard.
Worried about QuadRoot? Does the number of Android vulnerabilities make you reconsider the platform? Let us know your thoughts below!