Black Hat: Public Opinion Hacking Hits Fever Pitch
… the new needs of the organizations they are working to protect,” he said. “Security is a team sport, all of us are in this together.”
The threat landscape is constantly evolving and “we are all much more secure today than we were 10 years ago,” Foss said.
“In general, organizations are much more aware of the threats, and the tooling has increased significantly to help combat evolving threats,” he said. “That said, attackers are also stepping up their game. The ever-escalating game of cat and mouse will continue, which ultimately does result in better security.”
Android Phones Everywhere Can Spy on Users
Security researchers at Check Point Software Technologies have found hundreds of vulnerable code sections in a chip found in over 40% of the world’s cellphones.
Qualcomm manufactures the chip, known as Digital Signal Processor (DSP). It can be found in nearly every Android phone on the planet. That includes high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and more.
Check Point is presenting the research at Def Con 2020, held in conjunction with Black Hat. The researchers outlined the significant security risks of more than 400 vulnerabilities found in Qualcomm’s DSP. Those include:
- Attackers can turn your phone into a perfect spying tool, without any user interaction required. Leaked information includes photos, videos, call recording, real-time microphone data, GPS and location data, and more.
- Attackers can render your mobile phone constantly unresponsive. All information stored on the phone can be permanently unavailable.
- Malware and other malicious code can completely hide a hacker’s activities and become unremovable.
Ekram Ahmed, a Check Point spokesperson, said the vulnerabilities can affect both individuals and businesses.
“The vulnerabilities affect all Android phones,” he said. “So, if an employee has an Android phone, they can become a spying vector on the business.”
There’s nothing individuals and organizations can do on their own to protect themselves from these vulnerabilities, Ekram said.
“People must wait for their vendor to apply the fixes,” he said. “However, a mobile protection solution can help alert you on shady activity, at a minimum.”
Although Qualcomm has fixed the issue, that’s not the end of the story, said Yaniv Balmas, head of cyber research at Check Point.
“Hundreds of millions of phone are exposed to this security risk,” he said. “You can be spied on. You can lose all your data. Our research shows the complex ecosystem in the mobile world. With a long supply chain integrated into each and every phone, it is not trivial to find deeply hidden issues in mobile phones, but it’s also not trivial to fix them. Luckily this time, we were able to spot these issues. But we assume it will take months or even years to completely mitigate it. If such vulnerabilities will be found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time.”
It is now up to the vendors like Google, Samsung and Xiaomi to integrate the patches into their entire phone lines, Balmas said. That includes phones both in manufacturing and in the market, he said.
“Our estimations is that it will take a while for all the vendors to integrate the patches into all their phones,” he said. “For now, consumers must wait for the relevant vendors to also implement fixes. Check Point offers protection for these vulnerabilities with our mobile protection solution.”