Share this Story

Qualcomm Issues Statement on Dan Rosenberg’s TrustZone Vulernability

Yesterday, we reported on a security vulnerability that Dan Rosenberg had discovered, which affected “almost all” devices running Qualcomm Snapdragon processors. The vulnerability was discovered in ARM’s TrustZone, a system-wide security technology that Qualcomm uses in its mobile processors. If skilled enough, someone could use the vulnerability to “compromise DRM schemes, leak sensitive key materials, defeat operating system protection mechanisms, and in some cases manipulate software-programmable fuse to defeat secure boot.” As we mentioned yesterday, that could include unlocking the bootloader of a phone.

At the time of Dan’s findings, all devices running Qualcomm chipsets were vulnerable, but the company has since been made aware and has already taken steps to have it patched. Dan even noted that the Galaxy S5 and HTC One (M8) had already been patched. 

In a statement sent to us by Qualcomm, they have confirmed that the issue exists and that they have already made software updates available to impacted customers (phone manufacturers and carriers).

“Qualcomm Technologies takes the security of its products very seriously and invests to identify and address security vulnerabilities in our software before it’s made available to customers. We’re aware of this issue and have already made available software updates for our impacted customers to address the reported vulnerabilities.”

It will likely take time for these updates to be pushed through testing and out to your devices, but expect them soon enough.

  • tiev

    must… unlock… bootloader… :o….. verizon must fall!!

  • avataranjie

    Does Qualcomm care about older devices like the HTC Mytouch 4g and Nexus One and such?

  • MaxBangayvef

    Lila . although Matthew `s st0rry is shocking, last wednesday I bought a gorgeous Nissan GT-R: from having made $4749 this month and-also, 10-k this past munth . it’s definitly my favourite work I have ever done . I began this 8-months ago and immediately started making a cool more than $87… per-hr .

    for detail check tech tab….

    go to this web-site

    ==============>> Payatom.Com


  • Bigsike

    What’s sad is it will take another act of congress or whoever to allow us to unlock the bootloader on OUR phones. What year is this? name another product you have where the manufacture outright prevents you from doing what you like when you like. Hell you can even jack up your car however you want and that’s a machine that can kill people. It’s like this shouldn’t even be an issue anymore it’s just ridiculous.

    • Pedro

      Name another product that gives you access to the embedded firmware. Basically, every piece of tech in your house prevents you from ‘doing what you like when you like’.

      Or buy a Nexus.

      • rstat1

        My laptop allows access to it’s firmware, so do my wireless routers.

      • Bigsike

        The reason the Nexus exists is the exact reason what they are doing is wrong. If locking down the phone just because they can clearly says that it should not have been done to begin with. Also anytime you or anyone advocates limiting a device in anyway makes us all lose.

  • Darien Rudolph

    Qualcomm: ROSENBERRRRRG! *background thunder claps*

  • yummy

    I would like to see more focus on security in android, especially wearables and nesty things

  • Pedro

    On the bright side, any VZW customers won’t have to worry about the update until late 2015.

    • tomn1ce

      Yeah right with this update they’ll be the first one to get it out the door….just to make sure they prevent more people from unlocking the bootloader.

  • MichaelFranz

    upsetting the S5 couldnt be unlocked. however mobile security is so big now a days that its good to see. To be honest unless you have a nexus phone you really dont see unlocked devices getting that much dev work unless it can be unlocked out of the box thorugh retail. For instance, the HTC M8 was unlocked within days of release and developers have worked on it giving it multiple roms.

    a device like moto x which just gets unlocked now if it ever gets a public method, might not see that much work. Same goes for the S5 if it ever sees any kind of unlock. I know you can say “go buy a dev edition” but not many people are going to do that. Plus most dev edition phones will not see OTA updates.

    • David V.

      That is ccompletely untrue Dev phones get the same updates as locked phones. Even if they didn’t all you have to do is side load the ota or use rsd light to fxz the update. Dealers choice.

      • me

        [email protected] if they do, my dev edition note 3 receives no support or updates from samsung and definitely not verizon. Yeah i can odin 4.4.2 retail but i will lose my unlocked bootloader. Don’t speak about what you don’t know, it makes you look stupid.

    • Dave Amburn

      Where did you get that false information? The only difference between a retail phone and a Dev edition is the ability to unlock the bootloader on the Dev edition. It’s the same phone otherwise. Which means it gets OTA’s the exact same time.

  • AndrewScottRox

    So is the update already out for devices or is it still being tested. Having just updated my MotoX to 4.4.4, I’m curious if the fix was in that update.

    • T4rd

      I read that it was fixed in 4.4.4 on the Moto X. Not sure if that’s accurate though.

      • AndrewScottRox

        I thought they only improved the camera and put a new dialer on there. I didn’t see anything about any security updates. Could have been slipped in there though.

        • Nathan Borup

          They probably wouldn’t have gone that far into detail with the update changelog. You have to remember, most people that use smartphones don’t know what we know, so companies have do dumb down their changelogs

        • needa

          no reason for moto to announce a vulnerability. that would be irresponsible of them. qualcomm is who they buy their chips from.

          • Blue Sun

            “We fixed the glitch…”

  • Sean Rowe

    So the chances of a bootloader unlocked Moto X+1 are slim and none?

    • T4rd

      Pretty much the same as all the previous Moto phones. 😉

      • Nathan Borup

        Chinese middleman, here we come 😛

        • DanSan


          my brother had some chinese dude get him an unlock code. he is enjoying his unlocked bootloader moto x on verizon 🙂

          • Nathan Borup

            best $40 I’ve spent… makes the phone last a lot longer than moto is going to support because I can flash custom roms and such

    • Menger40

      Moto X had a dev version, maybe X+1 will too.

      • Gr8Ray

        And maybe they’ll make it an option in Moto Maker so we don’t have to put up with their lame color choice.

  • Justin Kos

    Well that escilated quickly

    • OF

      I mean that really got out of hand fast.

      • Ron

        Brick killed a guy!

        • Brick Tamland

          Yeah, there were horses, and a man on fire, and I killed a guy with a trident.

          • speed_phreak

            I pooped a hammer…

  • Suicide_Note

    Glad to see Qualcomm is already on top of it.

    • Walter Partlo

      Didn’t he notify them a bit ago?

      • Nathan Borup

        Yeah, Dan would have notified them a while ago before releasing it to the open public. It would only be safe to do that

      • Joash

        Not confirmed. I hope he did. It’s bad etiquete to disclose security holes without notifying the company/developer and giving them some sort of grace period.

    • sgreene

      LOL! Good one.