开源日报 每天推荐一个 GitHub 优质开源项目和一篇精选英文科技或编程文章原文,坚持阅读《开源日报》,保持每日学习的好习惯。
今日推荐开源项目:《blog-post-workflow》
今日推荐英文原文:《Researchers warn of an Achilles’ heel security flaw for Android phones》
开源日报第858期:《blog-post-workflow》
今日推荐开源项目:《blog-post-workflow》传送门:项目链接
推荐理由:该项目可以展示你最近在各个平台上面发表的博客, 并自动通过git指令添加到你的项目readme中.
今日推荐英文原文:《Researchers warn of an Achilles’ heel security flaw for Android phones》作者:Alfred Ng
原文链接:https://www.cnet.com/news/researchers-warn-of-an-achilles-heel-security-flaw-for-android-phones/
推荐理由:研究人员警告: 支持快速充电或者消除噪音功能的芯片可能为黑客入侵手机带来便利. 据观察, 某种在40%以上的安卓设备使用的芯片包含多达400个漏洞, 可能被黑客利用.

Researchers warn of an Achilles’ heel security flaw for Android phones

You might not ever have heard of a digital signal processor, but there’s a good chance you’ve reaped the benefits of one on your phone. These processors, described as a “complete computer in a single chip,” are the reason phones can fully charge within five minutes or launch augmented reality for games like Pokemon Go.

The chip’s wide range of possibilities, however, mean it’s ripe for abuse from hackers, warn researchers at Check Point, a cybersecurity firm. In a Defcon presentation scheduled for Friday, researcher Slava Makkaveev is expected to demonstrate how these processors are essentially gateways for attackers to get control over Android devices.

Makkaveev looked at the Qualcomm Snapdragon chip, which is in more than 40 percent of Android devices, and found more than 400 vulnerabilities. A potential hacker could create a malicious app that exploits these vulnerabilities to bypass the usual security checkpoints and take data, including photos, videos and location information.

The vulnerabilities also could allow a malicious app to record calls and turn on a device’s microphone without people knowing about it. Other vulnerabilities include allowing a malicious app to brick devices and to hide other malware on phones.

Check Point’s researchers said they wouldn’t be specifying the technical details of the hundreds of vulnerabilities discovered, because the flaws still pose a security risk for potentially millions of devices.

Qualcomm acknowledged the vulnerabilities and released warnings about the flaws. The issues remain security risks unless phone manufacturers also push updates out to customers.

“We worked diligently to validate the issue and make appropriate mitigations available” to phone makers, Qualcomm said in a statement, adding that the company didn’t have any evidence that the problem was now being exploited by hackers. “We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” Qualcomm said.

A spokesman for Google, which makes the Android OS, referred questions to Qualcomm for comment.

Though those specific security vulnerabilities were addressed, Check Point’s researchers said the processors are essentially a whole new platform for attackers to go after, describing that platform as an Achilles’ heel for even the most secure devices.

Digital signal processors have been around for a while, but security researchers haven’t paid much attention to them, partially because the entry barrier has been so high. Technical details on the chips are often locked down by the makers, which can be a benefit but also a concern if security researchers aren’t able to test them for flaws.

Check Point’s head of cyber research, Yaniv Balmas, said he suspects that in regard to these processors, there are many more vulnerabilities that haven’t yet been discovered, and he hopes more researchers will start looking at the hardware more closely.

“Our research managed to break these limits and we were able to have a very close look at the chip’s internal design and implementation in a relatively convenient way,” Balmas said. “Since such research is very rare, it can explain why we found so many vulnerable code sections.”
下载开源日报APP:https://openingsource.org/2579/
加入我们:https://openingsource.org/about/join/
关注我们:https://openingsource.org/about/love/