開源日報 每天推薦一個 GitHub 優質開源項目和一篇精選英文科技或編程文章原文,堅持閱讀《開源日報》,保持每日學習的好習慣。
今日推薦開源項目:《blog-post-workflow》
今日推薦英文原文:《Researchers warn of an Achilles' heel security flaw for Android phones》

今日推薦開源項目:《blog-post-workflow》傳送門:項目鏈接
推薦理由:該項目可以展示你最近在各個平台上面發表的博客, 並自動通過git指令添加到你的項目readme中.
今日推薦英文原文:《Researchers warn of an Achilles' heel security flaw for Android phones》作者:Alfred Ng
原文鏈接:https://www.cnet.com/news/researchers-warn-of-an-achilles-heel-security-flaw-for-android-phones/
推薦理由:研究人員警告: 支持快速充電或者消除噪音功能的晶元可能為黑客入侵手機帶來便利. 據觀察, 某種在40%以上的安卓設備使用的晶元包含多達400個漏洞, 可能被黑客利用.

Researchers warn of an Achilles' heel security flaw for Android phones

You might not ever have heard of a digital signal processor, but there's a good chance you've reaped the benefits of one on your phone. These processors, described as a "complete computer in a single chip," are the reason phones can fully charge within five minutes or launch augmented reality for games like Pokemon Go.

The chip's wide range of possibilities, however, mean it's ripe for abuse from hackers, warn researchers at Check Point, a cybersecurity firm. In a Defcon presentation scheduled for Friday, researcher Slava Makkaveev is expected to demonstrate how these processors are essentially gateways for attackers to get control over Android devices.

Makkaveev looked at the Qualcomm Snapdragon chip, which is in more than 40 percent of Android devices, and found more than 400 vulnerabilities. A potential hacker could create a malicious app that exploits these vulnerabilities to bypass the usual security checkpoints and take data, including photos, videos and location information.

The vulnerabilities also could allow a malicious app to record calls and turn on a device's microphone without people knowing about it. Other vulnerabilities include allowing a malicious app to brick devices and to hide other malware on phones.

Check Point's researchers said they wouldn't be specifying the technical details of the hundreds of vulnerabilities discovered, because the flaws still pose a security risk for potentially millions of devices.

Qualcomm acknowledged the vulnerabilities and released warnings about the flaws. The issues remain security risks unless phone manufacturers also push updates out to customers.

"We worked diligently to validate the issue and make appropriate mitigations available" to phone makers, Qualcomm said in a statement, adding that the company didn't have any evidence that the problem was now being exploited by hackers. "We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store," Qualcomm said.

A spokesman for Google, which makes the Android OS, referred questions to Qualcomm for comment.

Though those specific security vulnerabilities were addressed, Check Point's researchers said the processors are essentially a whole new platform for attackers to go after, describing that platform as an Achilles' heel for even the most secure devices.

Digital signal processors have been around for a while, but security researchers haven't paid much attention to them, partially because the entry barrier has been so high. Technical details on the chips are often locked down by the makers, which can be a benefit but also a concern if security researchers aren't able to test them for flaws.

Check Point's head of cyber research, Yaniv Balmas, said he suspects that in regard to these processors, there are many more vulnerabilities that haven't yet been discovered, and he hopes more researchers will start looking at the hardware more closely.

"Our research managed to break these limits and we were able to have a very close look at the chip's internal design and implementation in a relatively convenient way," Balmas said. "Since such research is very rare, it can explain why we found so many vulnerable code sections."
下載開源日報APP:https://openingsource.org/2579/
加入我們:https://openingsource.org/about/join/
關注我們:https://openingsource.org/about/love/