Guang Gong keeps disclosing many remote Chromium/Android zero click vulns, every year, which could've earned him millions on zerodium, and even more if put to real use.
"We can offer a few additional recommendations:
Transparency and openness:
(...) More generally, the competitive benefits of a closed platform approach to hardware internals should be reassessed in 2020. This balance may have been historically appropriate when the GPU was not in the critical path for security, but today billions of users are relying on the GPU to uphold the operating system security model. "
I wonder how secure new nvidia "security" features like MIG actually are. With people running real-time audio/video transcoders on GPUs for multiple connections, I wonder whether it is possible particularly crafted video connections to leak the video of other channels being processed by the same GPU.
Even if one were to encrypt all connections, these will probably need to be decrypted on the GPU for processing.
The simple solution is memory isolation - let the modem be as insecure as you like, but anyone who breaks into the modem can only see your network traffic (hopefully all encrypted anyway) and nothing else.
Sadly todays qualcomm hardware has no real memory isolation at all - any bit of on-chip hardware can see all memory.
It isn't perfect, but it's far easier to do that than properly secure a multi-million lines of code codebase with a substantial amount of unpatchable hardware...
There is an IOMMU on snapdragons, as the article says, but it is the IOMMU mapping itself which they attack.
This itself is kind of mind boggling how they let the device overwrite its own IOMMU configuration, effectively nullifying IOMMU's purpose, and its provided safeties.
It's like fencing your house with 10 meter high walls, but leaving the key lying in front of the gate.
As someone else said, it's not a security barrier between the ARM core and the radio hardware bits... It's more a tool for remapping stuff to make system design easier, and as a way of protecting against evil hardware outside the SoC.
I believe it can prevent the ARM core tampering with private radio hardware memory, but not the other way round.
Next time Project Zero finds an iOS bug and people suggest it is a commercial hitjob, point them at this.
Qualcomm (and all Android vendors) look like they have been screwed by this. (To be clear - they are screwed because their processes are to slow to get security updates out).
My comment referred to the timeline outlined in the post, in particular this part:
Qualcomm gives an update on the progress of a microcode based fix. The plan is that the fix will be available for OEMs by September 7, but Qualcomm will request an extension to patch integration and testing by OEMs.allow more time for patch integration and testing by OEMs.
and for their multiple subsequent requests for an extension and/or grace period.
Your August patches don't fix this - Qualcomm only notified OEMs on 4 August and their plan was to get fixes to OEMs by 7 Sep.
It wasn't due to a rushed patch - the patch just gave the Project Zero researcher an idea for where he should look.
There's no real way of being sure if it is being exploited. I guess no exploits had been detected a couple of days ago, but it's not uncommon for the way it gets detected it for someone to find the exploit software somewhere. That's how Project Zero found these iOS issues for example[1].
For comparison, Google Chrome tries to get security patches to most users within 24 hours.
Yet most android devices are lucky to receive a patch within a few months... Don't worry though - that's only a window of a few months where an evil actor can drain your bank account and log your porn browsing sessions...
Critical security issues 'in the wild' only come up once every few months, but yes, when they do, the Chrome team has someone on duty 24 hours per day whose responsibility is to patch the code and do a release to all users within a matter of hours.
If you submit a security issue to Chrome, they actually have a tickbox on the webform to say "this issue is important enough to get someone out of bed for", and if you tick that box, it will actually wake someone at 3am to deal with it...
What does this mean? They (Project Zero) only started working on this in June 2020 ("
However in June 2020, I noticed that the patch for CVE-2019-10567 was incomplete, and worked with Qualcomm's security team and GPU engineers to fix the issue at its root cause.... It's our understanding that Qualcomm will list this publicly in their November 2020 bulletin.")
Deserves respect at least.