Google Researchers Found Nearly a Dozen Flaws in Popular Qualcomm Software for Mobile GPUs

Demand for graphics processing units oregon GPUs has exploded in recent years arsenic video rendering and artificial quality systems person expanded the request for processing power. And portion astir of the astir disposable shortages (and soaring banal prices) subordinate to top-tier PC and server chips, mobile graphics processors are the mentation that everyone with a smartphone is utilizing everyday. So vulnerabilities successful these chips oregon however they're implemented tin person existent satellite consequences. That's precisely wherefore Google's Android vulnerability hunting reddish squad acceptable its sights connected unfastened root bundle from the spot elephantine Qualcomm that's wide utilized to instrumentality mobile GPUs.

At the Defcon information league successful Las Vegas connected Friday, 3 Google researchers presented much than 9 vulnerabilities—now patched—that they discovered successful Qualcomm's “Adreno GPU,” a suite of bundle utilized to coordinate betwixt GPUs and an operating strategy similar Android connected Qualcomm-powered phones. Such “drivers” are important to however immoderate machine is designed and person heavy privileges successful the kernel of an operating strategy to coordinate betwixt hardware peripherals and software. Attackers could exploit the flaws the researchers recovered to instrumentality afloat power of a device.

For years, engineers and attackers alike person been astir focused connected imaginable vulnerabilities successful a computer's cardinal processing portion (CPU) and person optimized for ratio connected GPUs, leaning connected them for earthy processing power. But arsenic GPUs go much cardinal to everything a instrumentality does each the time, hackers connected some ends of the spectrum are looking astatine however GPU infrastructure could beryllium exploited.

“We are a tiny squad compared to the large Android ecosystem—the scope is excessively large for america to screen everything, truthful we person to fig retired what volition person the astir impact,” says Xuan Xing, manager of Google's Android Red Team. “So wherefore did we absorption connected a GPU operator for this case? It's due to the fact that there’s nary support required for untrusted apps to entree GPU drivers. This is precise important, and I deliberation volition pull tons of attackers’ attention.”

Xing is referring to the information that applications connected Android phones tin speech to the Adreno GPU operator straight with “no sandboxing, nary further support checks,” arsenic helium puts it. This doesn't successful itself springiness applications the quality to spell rogue, but it does marque GPU drivers a span betwixt the regular parts of the operating strategy (where information and entree are cautiously controlled), and the strategy kernel, which has afloat power implicit the full instrumentality including its memory. “GPU drivers person each sorts of almighty functions,” Xing says. “That mapping successful representation is simply a almighty primitive attackers privation to have.”

The researchers accidental the vulnerabilities they uncovered are each flaws that travel retired of the intricacies and analyzable interconnections that GPU drivers indispensable navigate to coordinate everything. To exploit the flaws, attackers would request to archetypal found entree to a people device, possibly by tricking victims into sideloading malicious apps.

“There are a batch of moving parts and nary entree restrictions, truthful GPU drivers are readily accessible to beauteous overmuch each application,” says Eugene Rodionov, method person of the Android Red Team. “What truly makes things problematic present is complexity of the implementation—that is 1 point which accounts for a fig of vulnerabilities.”

Qualcomm released patches for the flaws to “original instrumentality manufacturers” (OEMs) that usage Qualcomm chips and bundle successful the Android phones they make. “Regarding the GPU issues disclosed by Android Security Red Team, patches were made disposable to OEMs successful May 2024,” a Qualcomm Spokesperson tells WIRED. “We promote extremity users to use information updates from instrumentality makers arsenic they go available.”

The Android ecosystem is complex, and patches indispensable determination from a vendor similar Qualcomm to OEMs and past get packaged by each idiosyncratic instrumentality shaper and delivered to users' phones. This trickle-down process sometimes means that devices tin beryllium near exposed, but Google has spent years investing to amended these pipelines and streamline communication.

Still, the findings are yet different reminder that GPUs themselves and the bundle supporting them person the imaginable to go a captious battleground successful machine security.

As Rodionov puts it, “combining precocious complexity of the implementation with wide accessibility makes it a precise absorbing people for attackers.”