Vulnerability, Where Art Thou? An Investigation of Vulnerability Management in Android Smartphone Chipsets

TL;DR

This paper addresses the vulnerability management of Android smartphone chipsets by constructing a unified knowledge base of 3,676 vulnerabilities across 437 chipset models and 6,866 smartphone models, linking vulnerabilities to chipsets, devices, and updates from multiple vantage points. It empirically analyzes the vulnerability lifecycle across four phases, revealing that most chipset vulnerabilities are inherited across generations, patching is often delayed, and information across CM, NVD, and AOSP sources is inconsistent. The authors find that firmware vulnerabilities tend to be more severe than driver vulnerabilities, and that update coordination between CM and OEMs is frequently poor, leaving many devices exposed for extended periods. They propose industry-wide recommendations, including strengthening CM internal security, prioritizing firmware, and improving AOSP bulletin completeness, to enhance the security posture of Android devices and enable more representative research use cases.

Abstract

Vulnerabilities in Android smartphone chipsets have severe consequences, as recent real-world attacks have demonstrated that adversaries can leverage vulnerabilities to execute arbitrary code or exfiltrate confidential information. Despite the far-reaching impact of such attacks, the lifecycle of chipset vulnerabilities has yet to be investigated, with existing papers primarily investigating vulnerabilities in the Android operating system. This paper provides a comprehensive and empirical study of the current state of smartphone chipset vulnerability management within the Android ecosystem. For the first time, we create a unified knowledge base of 3,676 chipset vulnerabilities affecting 437 chipset models from all four major chipset manufacturers, combined with 6,866 smartphone models. Our analysis revealed that the same vulnerabilities are often included in multiple generations of chipsets, providing novel empirical evidence that vulnerabilities are inherited through multiple chipset generations. Furthermore, we demonstrate that the commonly accepted 90-day responsible vulnerability disclosure period is seldom adhered to. We find that a single vulnerability often affects hundreds to thousands of different smartphone models, for which update availability is, as we show, often unclear or heavily delayed. Leveraging the new insights gained from our empirical analysis, we recommend several changes that chipset manufacturers can implement to improve the security posture of their products. At the same time, our knowledge base enables academic researchers to conduct more representative evaluations of smartphone chipsets, accurately assess the impact of vulnerabilities they discover, and identify avenues for future research.

Figures (10)

• Figure 1: Lifecycle of chipset vulnerabilities in the Android ecosystem.
• Figure 2: Origin and persistence of discovered vulnerabilities in the average chipset model. Arrows symbolize the direction in which vulnerabilities propagate.
• Figure 3: Vulnerabilities published per year per CM. Bars show the total number of published vulnerabilities, lines show the fraction of vulnerabilities discovered internally by each CM.
• Figure 4: Severity distribution of firmware and driver vulnerabilities. Severity information is based on NIST analysis.
• Figure 5: Time frame from vulnerability disclosure to patch availability, each marker representing a single vulnerability. Graph cut-off at $y=700$ days for readability. Mediatek and Unisoc are excluded due to missing discovery date information.