Trend Micro finds IoT security hole in Qualcomm SoC
March 24, 2016
Trend Micro researchers have found a hole in the defences of the systems on chips (SoCs) produced by Qualcomm Snapdragon that, if exploited, allows root access. This would give hackers administrative authority over the hardware, which enables a wide range of nefarious possibilities.
So far, Trend Micro security experts have found this vulnerability on the Nexus 5, 6, 6P and the Samsung Galaxy Note Edge. Considering that these devices no longer receive security updates, this is concerning news for anyone who owns one of these phones. However, smartphones aren't the only problem. Snapdragon also sells its SoCs to venders producing devices considered part of the IoT, meaning these gadgets are just as at risk.
By all accounts, it would appear that IoT devices are going to have a similar problem with security updates as these Android smartphones. FTC chair Edith Ramirez said as much in a speech at the 2015 Consumer Electronics show.
"Moreover, some connected devices are low-cost and essentially disposable," she said. "If a vulnerability is discovered on that type of device, it may be difficult to update the software or apply a patch – or even to get news of a fix to consumers."
A large portion of the population already doesn't see the point of updating their systems, and this only pertains to the few internet-connected devices in their homes. An IoT future, where almost every device in the home will have a connection, is only going to compound this problem further.
“Add in the fact that some of these devices will be designed to be cheap and essentially disposable and it's easy to see why many people worry about the security of the IoT,” said Trend Micro’s Noah Gamer in a blog post. “SoCs like the ones developed by Snapdragon are already making their rounds in IoT devices including certain wearables. If the industry can't find a way to effectively patch these vulnerabilities, there could be massive repercussions.”
Although hacking can already be used for nefarious means, the implications of an entirely connected world go far beyond that. An example of this is the discovery of a vulnerability in a new Barbie doll that had the capability of connecting to the internet, allowing children to have a conversation with Barbie. In November 2015, an independent researcher named Andrew Hay partnered with BlueBox Security to look into this toy’s security capabilities, according to PC World.
They discovered that the doll automatically connected to any unsecured Wifi network with “Barbie” in the name. This means that a person could theoretically spoof a network, allow the doll to connect and hear everything the child said to the doll. While this doesn't exactly have many practical uses, it's certainly a frightening concept for any parent.
But that's nowhere near the worst thing that can be done with IoT devices. In September 2015, a group of people from the University of South Alabama wanted to see how far they could go with a connected pacemaker. They began tests on an iStan, basically a dummy that realistically simulates the biological processes of a real human. What they found was that they could effectively kill someone by hacking their pacemaker. Mike Jacobs, professor at the university, laid out the extent of the experiment.
"The simulator had a pacemaker so we could speed the heart rate up, we could slow it down," said Jacobs. "If it had a defibrillator, which most do, we could have shocked it repeatedly. If it was the intent, we could definitely cause harm to the patient."
Under the right conditions, a hacker could use this insight to kill a patient with a few lines of code. While that's frightening on it's own, the simplicity of this attack is the real concern. All it took was brute force and denial of service attacks, widely regarded as very low-skill hacking techniques, to breach the pacemaker's defences.
“Despite the fact that these examples didn't utilise vulnerabilities in the same way that cyber criminals could by exploiting Snapdragon's SoCs, they show that hacking the IoT is a much bigger problem than exploiting smartphones,” said Gamer. “That said, it would appear that Android phones and certain IoT devices share a similar problem in terms of security updates. The lower end IoT gadgets may not get the updates they need, as pointed out by Ramirez, which could open them up to serious risk.
“If the IoT is going to be as widespread as many experts predict, there needs to be some sort of system in place ensuring these devices are safe for public use. Security updates are an absolute necessity these days, and users of these connected devices need to know what they're dealing with.”