Metn. Beirut – Lebanon
critical vulnerabilities in Qualcomm Adreno GPU
12-Aug-2024

critical vulnerabilities in Qualcomm Adreno GPU

Google researchers have uncovered over nine vulnerabilities in Qualcomm's Adreno GPU, an integrated graphics processing unit in Qualcomm's Snapdragon processors. Due to the GPU having kernel privileges, the security flaws pose significant risks since they could allow attackers to gain full control of a device.

The research focused on GPU drivers because untrusted apps can access them without additional permissions, making them attractive targets for hackers. These drivers' inherent complexity and deep integration with operating systems further increase their susceptibility to security flaws.

Xuan Xing, the manager of Google's Android Red Team, explained to Wired that their team is small relative to the expansive Android ecosystem, so they need to focus on the areas where they can make the most significant impact.

Hackers are increasingly exploiting vulnerabilities in GPU drivers, such as those found in Qualcomm's Adreno and Arm's Mali. These flaws lead to unauthorized access to data stored in GPU memory, posing significant risks given the widespread use of these components in devices like Android smartphones and tablets.

Qualcomm has already patched the holes Google found, but users should not become complacent. Auto-updating features are generally slower than manual installation of updates, plus there is a slight delay between manufacturer patches and operating system updates. Android users should check for and install them sooner rather than later, especially since hackers were reportedly already exploiting some of these vulnerabilities in the wild in a limited and targeted manner.

The discovery of these vulnerabilities underscores a growing need to focus on the security of mobile GPUs. Much of the attention has historically been on high-end PC and server processors. However, Adreno's flaws highlight that mobile GPUs also present significant security risks that manufacturers must stay on top of and address.