Demand for graphics processing units or GPUs has exploded in recent years due to the increased requirements for video rendering and artificial intelligence systems. This increased need impacts not only high-end PC and server chips, observed in shortages and rising stock prices, but also mobile GPUs which are used daily by smartphone users. The potential vulnerabilities in these chips or their implementation can lead to significant real-world implications. This is why Google’s Android vulnerability research team has targeted Qualcomm’s widely utilized open-source mobile GPU software.
At the Defcon security conference in Las Vegas, presented by three Google researchers on a Friday, over nine patched vulnerabilities were disclosed found within Qualcomm’s Adreno GPU software. This software is essential for linking GPUs with an operating system like Android on devices powered by Qualcomm. These “drivers” hold substantial control within the operating system’s kernel, managing the communication between hardware peripherals and software. Any exploit found within these drivers could potentially allow attackers complete control over a device.
Historically, the primary focus of engineers and attackers has been on vulnerabilities within a computer’s central processing unit (CPU), with GPUs mainly being optimized for their efficiency and processing power. However, as GPUs increasingly play a crucial role in device functionality, they become a key focus for potential exploitation from various threats.
“Considering how expansive the Android ecosystem is, our team being smaller means we can’t cover everything, therefore, we need to decide what gets priority based on potential impact,” explained Xuan Xing, manager of Google’s Android Red Team. “We chose to investigate a GPU driver because it does not require permissions for untrusted apps to access, making it a significant point of interest for attackers.”
Xing highlights that Android applications can directly interact with the Adreno GPU driver without any sandboxing or additional permission checks. While this does not immediately pose a risk for apps to behave maliciously, it does position GPU drivers as a conduit between the heavily controlled parts of the OS and the system kernel, which holds complete control over the device, including memory management. “GPU drivers possess numerous powerful functions,” states Xing, noting the significance of memory mapping that attackers find advantageous.
The researchers have identified multiple vulnerabilities stemming from the complex and interconnected nature required by GPU drivers to manage coordination tasks. To exploit these vulnerabilities, attackers need to gain access to the device, possibly by deceiving users into installing harmful apps.
“The lack of access restrictions implies that GPU drivers are easily accessible by almost all applications,” mentions Eugene Rodionov from the Android Red Team. He points out that the implementation’s complexity is a major vulnerability factor.
Qualcomm has released patches for these vulnerabilities, which have been distributed to the original equipment manufacturers (OEMs) utilizing Qualcomm components in Android devices. A spokesperson from Qualcomm advised that security updates be applied by end-users as they become available, following the disclosure of GPU issues by the Android Security Red Team.
The Android ecosystem is composed of multiple layers, including vendors like Qualcomm, OEMs (Original Equipment Manufacturers), and finally the device makers who package and deliver updates to users’ phones. This multi-step process can sometimes result in vulnerabilities due to delayed updates. Google, however, has been actively working to enhance these processes and improve the efficiency of communication within this pipeline.
Nonetheless, recent discoveries highlight that GPUs and their corresponding software are increasingly becoming focal points for cybersecurity threats.
As expressed by Rodionov, the combination of the intricate architecture and broad accessibility of these systems presents a compelling target for cyber attackers.