Anika Begay
Demand for graphics processing units, or GPUs, has exploded in recent years, as video rendering and artificial intelligence systems have expanded the need for processing power. And while most of the most visible shortages (and skyrocketing stock prices) are in chips for high-end PCs and servers, mobile graphics processors are the version that everyone with a smartphone uses every day. So vulnerabilities in these chips, or the way they’re implemented, can have real-world consequences. That’s exactly why Google’s red team hunting for Android vulnerabilities has set its sights on chip giant Qualcomm’s open-source software, which is widely used to implement mobile GPUs.
At the Defcon security conference in Las Vegas on Friday, three Google researchers presented more than nine now-patched vulnerabilities they discovered in Qualcomm’s “Adreno GPU,” a suite of software used to coordinate the GPU and an operating system like Android on Qualcomm-based phones. Such “drivers” are essential to the way any computer is designed, and have deep privileges in an operating system’s kernel to coordinate hardware and software peripherals. Attackers could exploit the flaws the researchers discovered to take full control of a device.
For years, engineers and attackers have focused primarily on potential vulnerabilities in a computer’s central processing unit (CPU) and optimized for efficiency on GPUs, leaning on them for raw processing power. But as GPUs become increasingly central to everything a device does at any given moment, hackers on both ends of the spectrum are looking at how GPU infrastructure could be exploited.
“We’re a small team compared to the larger Android ecosystem—the scope is too broad to cover everything, so we need to figure out what will have the biggest impact,” says Xuan Xing, lead of Google’s Android Red team. “So why did we focus on a GPU driver for this case? Because there’s no permission required for untrusted apps to access GPU drivers. That’s really important, and I think it’s going to attract a lot of attackers.”
Xing is referring to the fact that apps on Android phones can communicate directly with the Adreno GPU driver without “sandboxing, without additional permission checks,” as he puts it. This doesn’t in itself give apps the ability to go rogue, but it does make GPU drivers a bridge between the regular parts of the operating system (where data and access are carefully controlled) and the system kernel, which has full control over the entire device, including its memory. “GPU drivers have all sorts of powerful features,” Xing says. “That memory mapping is a powerful primitive that attackers want to have.”
The researchers say the vulnerabilities they discovered are all flaws that arise from the complexities and intricate interconnections that GPU drivers must manage to coordinate everything. To exploit the flaws, attackers would first have to establish access to a target device, perhaps by tricking victims into sideloading malicious apps.
“There are a lot of moving parts and no access restrictions, so the GPU drivers are easily accessible to almost any application,” says Eugene Rodionov, technical lead for the Android Red Team. “What really makes things problematic here is the complexity of the implementation, which is one factor that explains a number of vulnerabilities.”
Qualcomm has released patches for the flaws to “original equipment manufacturers” (OEMs) that use Qualcomm chips and software in the Android phones they produce. “For the GPU issues disclosed by the Android Security Red Team, patches were made available to OEMs in May 2024,” a Qualcomm spokesperson told WIRED. “We encourage end users to apply device manufacturer security updates as they become available.”
The Android ecosystem is complex, and patches must go from a vendor like Qualcomm to OEMs, and then be packaged by each individual device manufacturer and delivered to users’ phones. This cascade process can sometimes leave devices exposed, but Google has spent years investing in improving these pipelines and simplifying communication.
However, these results are further confirmation that GPUs themselves and the software that supports them have the potential to become a critical battleground for cybersecurity.
As Rodionov states, “the combination of high implementation complexity with wide accessibility makes it a very attractive target for attackers.”
