Researchers Uncover a Hardware Security Vulnerability on Android Phones

Critical vulnerability discovered in Android smartphones GPUs.

Vulnerability on Android Phones

Let's hope not, and if so, it won't be for long, thanks to a team of researchers at the University of Pittsburgh's Swanson School of Engineering.

A recent study by scientists showed that the graphics processing unit (GPU) in some Android smartphones can be used to eavesdrop on a user's credentials when the user enters credentials using the smartphone's on-screen keyboard. The discovered hardware security vulnerability poses a far greater threat to a user's sensitive identities than previous attacks that can only infer a user's general activities, such as the website visited or the length of the password entered.

“Our experiments show that an attack can correctly determine user-entered credentials, such as username and password, without requiring any system privileges or causing any noticeable change in device operation or performance. Users will not be able to tell when they are being attacked,” said Wei Gao, assistant professor of electrical and computer engineering, whose lab led the research.

During the experiment, the researchers were able to correctly determine which letters or numbers were pressed in 80% of cases, based only on data received from the GPU.

The researchers focused on the Qualcomm Adreno video chip, but it is assumed that the vulnerability can also be exploited on other GPUs. The team reported the breach to Google and Qualcomm. Google noted that it will release a security patch for Android at the end of this year.

For example, an attacker can create a secure application and inject malicious code into it that will run in the background. As a result of the attack, a malicious application can obtain usernames and passwords entered in online banking or on websites. Such code cannot be detected by the standard security measures of the Google Play store.

The paper "Eavesdropping User Credentials Through Third-Party GPU Channels on Smartphones" was co-authored by Boyuan Yang, Ruirong Chen, Kai Huang, Jun Yang, and Wei Gao. It was presented at the ASPLOS conference held from February 28 to March 4, 2022, in Lausanne, Switzerland.

Post a Comment