Winston
Lorenzo von Matterhorn
- Joined
- Jan 31, 2009
- Messages
- 9,560
- Reaction score
- 1,749
One of the disadvantages of buying cheaper phones from manufacturers who don't reliably and often update their firmware or OS.
AUGUST 10, 2020
'Achilles' flaw exposes a billion Android phones
https://techxplore.com/news/2020-08-achilles-flaw-exposes-billion-android.html
One billion Android phones are at risk of attacks by hackers taking advantage of what a research firm says are 400 vulnerabilities detected on the smartphone's chips.
Collectively called "Achilles," the vulnerabilities were found on stretches of code found in Qualcomm's Snapdragon chips, which are found on nearly half of all Android phones.
Addressing the DEF CON Safe Mode security conference Friday, researchers at Check Point security firm said phones could be turned into spying tools providing access to photos, videos, location data, and other sensitive user details. The hacker need only successfully persuade a user to install a seemingly benign app that requires no permissions to operate.
Hackers could spy on phone conversations, launch denial-of-service attacks, or surreptitiously plant malicious code.
"You can be spied on. You can lose all your data," said said Yaniv Balmas, head of cyber research at Check Point. "If such vulnerabilities are found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time."
Check Point has distributed details of its findings to Qualcomm and affected phone vendors. It did not post the details in public so as to not provide any advantages to hackers.
Qualcomm said it is addressing the vulnerabilities; issuing a new compiler and a new software development kit. But it is up to phone vendors to distribute patches for each model phone carrying the affected processor.
"For vendors, it means they will need to recompile each and every DSP application they use, test them, and fix any issues [that] may occur," said Balmas. "Then they need to ship these fixes to all devices in the market."
Meanwhile, outside of phones:
August 7, 2020
EXCLUSIVE: INTEL CPU VULNERABILITY CAN BE USED TO KILL CPUS AND CRASH SYSTEMS
https://adoredtv.com/exclusive-intel-cpu-vulnerability-can-be-used-to-kill-cpus-and-crash-systems/
I want to preface this article with some important words. We publish hardware leaks when we’re about 99% confident that our sources have given us good information. The information in this exclusive, given its severe nature, demands 100% confidence, a level of confidence which we have. We also don’t take pleasure in publishing this information, but we have good reason to.
We were informed recently of a hardware vulnerability that is present in current generation Intel chips, and likely goes back as far as the 6th generation, and we’ve seen indications that even the 4th and 5th generations could be affected. It’s similar to Plundervolt but it’s not a security vulnerability per se. For those unfamiliar, Plundervolt is a security vulnerability caused by lowering the voltage in an Intel CPU low enough to compromise the SGX security system. This new vulnerability also concerns changing the voltage, but for an ends purely within hardware.
By running a simple program that doesn’t even need to be installed or by installing a driver, one can increase or decrease the CPU voltage by as much as half a volt. Now, it does require elevated to admin level permissions (at least in Windows) for this to work, but it works against both locked and unlocked CPUs and can persist through a reboot by using a signed driver, which would not prompt UAC at all. The driver method is particularly worrisome because it bypasses UAC after the initial installation (which does actually prompt UAC), unlike the method in which one just runs a program.
As such, if a system were compromised and a hacker started messing around with a CPU’s voltage, what exactly could happen? Well, let’s focus on increasing voltage first. On a CPU that normally operates at lower clock speeds and voltages, like server CPUs and low end consumer CPUs, you could expect an extra half of a volt to make things seriously toasty and perhaps significantly shorten its lifespan over a period of time due to much higher voltage than is normal. But, on much higher end, faster CPUs with high clock speeds and thus relatively high voltages out of the box, it’s possible that this kind of voltage could cause immediate damage or even death. An additional half a volt is not a joke.
Technically, an extra half volt isn’t even a limit. By fluctuating the voltage of a CPU at incredible speed, the VRM (or voltage regulator module) could accidentally overshoot the intended amount of voltage by a fair bit. This will be more effective on cheaper, lower quality motherboards than higher quality boards because a better VRM will be designed to overshoot less frequently and stick closer to the intended target. We’re not sure if this is an effective technique for damaging or killing CPUs (we don’t have a ton of experience with that), but anything that further increases the voltage is not good news.
AUGUST 10, 2020
'Achilles' flaw exposes a billion Android phones
https://techxplore.com/news/2020-08-achilles-flaw-exposes-billion-android.html
One billion Android phones are at risk of attacks by hackers taking advantage of what a research firm says are 400 vulnerabilities detected on the smartphone's chips.
Collectively called "Achilles," the vulnerabilities were found on stretches of code found in Qualcomm's Snapdragon chips, which are found on nearly half of all Android phones.
Addressing the DEF CON Safe Mode security conference Friday, researchers at Check Point security firm said phones could be turned into spying tools providing access to photos, videos, location data, and other sensitive user details. The hacker need only successfully persuade a user to install a seemingly benign app that requires no permissions to operate.
Hackers could spy on phone conversations, launch denial-of-service attacks, or surreptitiously plant malicious code.
"You can be spied on. You can lose all your data," said said Yaniv Balmas, head of cyber research at Check Point. "If such vulnerabilities are found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time."
Check Point has distributed details of its findings to Qualcomm and affected phone vendors. It did not post the details in public so as to not provide any advantages to hackers.
Qualcomm said it is addressing the vulnerabilities; issuing a new compiler and a new software development kit. But it is up to phone vendors to distribute patches for each model phone carrying the affected processor.
"For vendors, it means they will need to recompile each and every DSP application they use, test them, and fix any issues [that] may occur," said Balmas. "Then they need to ship these fixes to all devices in the market."
Meanwhile, outside of phones:
August 7, 2020
EXCLUSIVE: INTEL CPU VULNERABILITY CAN BE USED TO KILL CPUS AND CRASH SYSTEMS
https://adoredtv.com/exclusive-intel-cpu-vulnerability-can-be-used-to-kill-cpus-and-crash-systems/
I want to preface this article with some important words. We publish hardware leaks when we’re about 99% confident that our sources have given us good information. The information in this exclusive, given its severe nature, demands 100% confidence, a level of confidence which we have. We also don’t take pleasure in publishing this information, but we have good reason to.
We were informed recently of a hardware vulnerability that is present in current generation Intel chips, and likely goes back as far as the 6th generation, and we’ve seen indications that even the 4th and 5th generations could be affected. It’s similar to Plundervolt but it’s not a security vulnerability per se. For those unfamiliar, Plundervolt is a security vulnerability caused by lowering the voltage in an Intel CPU low enough to compromise the SGX security system. This new vulnerability also concerns changing the voltage, but for an ends purely within hardware.
By running a simple program that doesn’t even need to be installed or by installing a driver, one can increase or decrease the CPU voltage by as much as half a volt. Now, it does require elevated to admin level permissions (at least in Windows) for this to work, but it works against both locked and unlocked CPUs and can persist through a reboot by using a signed driver, which would not prompt UAC at all. The driver method is particularly worrisome because it bypasses UAC after the initial installation (which does actually prompt UAC), unlike the method in which one just runs a program.
As such, if a system were compromised and a hacker started messing around with a CPU’s voltage, what exactly could happen? Well, let’s focus on increasing voltage first. On a CPU that normally operates at lower clock speeds and voltages, like server CPUs and low end consumer CPUs, you could expect an extra half of a volt to make things seriously toasty and perhaps significantly shorten its lifespan over a period of time due to much higher voltage than is normal. But, on much higher end, faster CPUs with high clock speeds and thus relatively high voltages out of the box, it’s possible that this kind of voltage could cause immediate damage or even death. An additional half a volt is not a joke.
Technically, an extra half volt isn’t even a limit. By fluctuating the voltage of a CPU at incredible speed, the VRM (or voltage regulator module) could accidentally overshoot the intended amount of voltage by a fair bit. This will be more effective on cheaper, lower quality motherboards than higher quality boards because a better VRM will be designed to overshoot less frequently and stick closer to the intended target. We’re not sure if this is an effective technique for damaging or killing CPUs (we don’t have a ton of experience with that), but anything that further increases the voltage is not good news.
