Yesterday, we reported on a security vulnerability that Dan Rosenberg had discovered, which affected “almost all” devices running Qualcomm Snapdragon processors. The vulnerability was discovered in ARM’s TrustZone, a system-wide security technology that Qualcomm uses in its mobile processors. If skilled enough, someone could use the vulnerability to “compromise DRM schemes, leak sensitive key materials, defeat operating system protection mechanisms, and in some cases manipulate software-programmable fuse to defeat secure boot.” As we mentioned yesterday, that could include unlocking the bootloader of a phone.
At the time of Dan’s findings, all devices running Qualcomm chipsets were vulnerable, but the company has since been made aware and has already taken steps to have it patched. Dan even noted that the Galaxy S5 and HTC One (M8) had already been patched.
In a statement sent to us by Qualcomm, they have confirmed that the issue exists and that they have already made software updates available to impacted customers (phone manufacturers and carriers).
“Qualcomm Technologies takes the security of its products very seriously and invests to identify and address security vulnerabilities in our software before it’s made available to customers. We’re aware of this issue and have already made available software updates for our impacted customers to address the reported vulnerabilities.”
It will likely take time for these updates to be pushed through testing and out to your devices, but expect them soon enough.