Vulnerability, Where Art Thou? An Investigation of Vulnerability Management in Android Smartphone Chipsets

TL;DR

This paper conducts a comprehensive empirical study of Android smartphone chipset vulnerabilities, revealing inheritance across generations, poor disclosure adherence, and widespread impact on devices, while providing a knowledge base for improved security and research.

Contribution

It creates the first unified knowledge base of chipset vulnerabilities and analyzes their inheritance, disclosure practices, and impact on smartphone models.

Findings

Vulnerabilities are often inherited across chipset generations.

The 90-day disclosure period is rarely followed.

Single vulnerabilities can affect thousands of devices.

Abstract

Vulnerabilities in Android smartphone chipsets have severe consequences, as recent real-world attacks have demonstrated that adversaries can leverage vulnerabilities to execute arbitrary code or exfiltrate confidential information. Despite the far-reaching impact of such attacks, the lifecycle of chipset vulnerabilities has yet to be investigated, with existing papers primarily investigating vulnerabilities in the Android operating system. This paper provides a comprehensive and empirical study of the current state of smartphone chipset vulnerability management within the Android ecosystem. For the first time, we create a unified knowledge base of 3,676 chipset vulnerabilities affecting 437 chipset models from all four major chipset manufacturers, combined with 6,866 smartphone models. Our analysis revealed that the same vulnerabilities are often included in multiple generations of chipsets, providing novel empirical evidence that vulnerabilities are inherited through multiple chipset generations. Furthermore, we demonstrate that the commonly accepted 90-day responsible vulnerability disclosure period is seldom adhered to. We find that a single vulnerability often affects hundreds to thousands of different smartphone models, for which update availability is, as we show, often unclear or heavily delayed. Leveraging the new insights gained from our empirical analysis, we recommend several changes that chipset manufacturers can implement to improve the security posture of their products. At the same time, our knowledge base enables academic researchers to conduct more representative evaluations of smartphone chipsets, accurately assess the impact of vulnerabilities they discover, and identify avenues for future research.