What Kaspersky Discovered Inside Qualcomm Chips
Security researchers from Kaspersky’s ICS CERT team have uncovered a critical Qualcomm vulnerability, cataloged as CVE-2026-25262, that challenges long-held assumptions about smartphone security. The flaw resides in the BootROM, a read-only component etched directly into the chip’s silicon, which is responsible for launching the Primary Boot Loader and starting the secure boot chain. Because BootROM code runs before the operating system and cannot be modified once manufactured, any weakness at this level becomes immensely dangerous. By abusing the Sahara protocol in Emergency Download Mode (EDL), the researchers demonstrated that an attacker with brief physical access and a USB connection can upload and execute arbitrary code before any security controls activate. This transforms routine situations—like handing over a phone for repair or a temporary device inspection—into potential attack vectors, allowing a hidden backdoor to be installed without any obvious signs to the user.
Why This Unpatchable Security Flaw Is So Severe
Unlike typical mobile device vulnerabilities that can be fixed with a firmware or operating system update, this Qualcomm vulnerability lives in the BootROM and is therefore unpatchable in devices already on the market. BootROM’s role is to verify each subsequent bootloader stage, forming a chain of trust up to the OS. The discovered bug is a classic “write-what-where” condition, enabling attackers to write arbitrary data to arbitrary memory addresses. Once exploited through EDL’s Sahara protocol, it can give access to passwords, files, contact lists, location data, and even hardware sensors such as cameras and microphones. In some scenarios, full device takeover is possible. Because all of this occurs before normal security mechanisms load, traditional mobile security tools may never see the malicious changes. As a result, the smartphone security threat persists at a level that end users and many administrators cannot directly remediate.
Devices at Risk: From Budget Phones to Cars and IoT
The Qualcomm vulnerability affects several widely deployed chip series, including MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50. These aren’t niche components; they power a broad range of smartphones, automotive systems, and connected devices. The MDM9207, for example, is embedded in numerous IoT modules used in industrial equipment, smart home products, healthcare monitoring systems, logistics trackers, and even banking terminals. The MSM8916 is found in many budget smartphones, while the SDX50 is used in automotive control units. In all these cases, the vulnerability is reachable through Emergency Download Mode when a device is connected via USB. Although exploiting it requires physical access, real-world scenarios such as third-party repairs, device inspections, insider threats, or lost-and-returned gadgets create opportunities for attackers. A few minutes with a cable can be enough to implant a stealthy backdoor into everyday mobile and embedded hardware.
How the Attack Works and Why Physical Access Matters
The attack leverages Emergency Download Mode, a legitimate recovery feature designed to revive bricked devices. When EDL is enabled, the device waits for a USB connection and runs the Sahara protocol directly from the ARM Primary Boot Loader in BootROM. The device sends a HELLO message, the connected computer chooses a mode, and then uploads a specially signed utility in chunks. The flaw lies in how these chunks are verified. By exploiting the write-what-where bug, a malicious actor can craft data that manipulates memory and injects arbitrary code. Because this stage runs before any user authentication or OS-level security, the attacker’s code executes with maximum privilege. The primary limitation is that attackers must physically connect to the device. However, situations like leaving a phone at an untrusted repair shop, passing it to someone to “help configure apps,” or having it detained for inspection can provide enough time to compromise it silently.
Practical Steps to Protect Yourself and Your Devices
Although Qualcomm cannot retroactively fix BootROM on existing chips, there are practical steps to reduce risk. First, maintain strict physical control over your smartphones and connected devices, especially when traveling or on business trips, and avoid leaving them unattended. Use only authorized or highly trusted service centers for repairs and maintenance to minimize exposure to malicious insiders. Keep firmware and operating systems updated; while this won’t remove the BootROM flaw, it reduces the chance that attackers can chain other vulnerabilities for broader compromise. On Android devices, reputable mobile security tools such as Kaspersky for Android can help detect related threats at higher layers. Stay alert to unusual behavior: unexpected overheating while idle, unexplained spikes in network traffic, or strange app activity may indicate compromise. If you suspect a problem, fully cutting power—by removing the battery or letting it drain to zero—can wipe non-persistent malicious code and restore a clean baseline state.