Achilles is the name of a set of 400 security vulnerabilities found in the Qualcomm chips that power a billion Android devices – many of which may never get fixed.

Discovered by researchers at CheckPoint, the vulnerabilities all relate the DSP chip which is part of the Snapdragon processor that powers the phones and tablets.  DSP chips are specialised silicon optimised to efficiently process media files and the Qualcomm DSP runs code created with their Hexagon development toolkit.  The vulnerabilities stem from flaws in the Hexagon software which is used to create the code that runs on the DSP chip.

By exploiting the Achilles vulnerabilities attackers would be able to perform a variety of actions including:

• Turn on the microphone
• Exfiltrate files such as photographs, videos or GPS data
• Render the device inoperative
• Run malware which is invisible to the user

This disclosure brings into focus the challenge faced by Enterprise Mobile Device Managers:  mobile devices may well continue to function in the field well beyond the 36 months coverage for monthly security patches offered by vendors such as Google and Samsung for flagship devices.

As Samsung comments on their website:

The product life cycle of a smartphone is not just about physical attributes; it is heavily impacted by software in order to ensure security, reliability and continuity. So, when deploying smartphones, enterprise mobility managers should think about not only protecting the device itself, but also whether it will continue to be supported by the manufacturer with ongoing firmware and security updates.

Full details of the vulnerabilities have not been published by CheckPoint as fixes are not yet available.

Key CVE for Achilles:  CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.