QualPwn Bugs In Snapdragon SoC Can Attack Android Over the Air

Android Attack

The modem and Android kernel could be compromised by two major vulnerabilities in Qualcomm’s system-on – a-chip (SoC) WLAN firmware.

The defects were discovered in the Snapdragon 835 and 845 WLAN components of Qualcomm. Tests on Google Pixel 2 and 3 have been performed, but unpatched phones running one of the two SoCs are susceptible.

Critical and high-severity bugs.

Security scientists from the Tencent Blade team discovered that a highly severe vulnerability (CVE-2019-10538) enables attackers to compromises the over – the-air WLAN and chip modem.

The second one is a CVE-2019-10540 buffer overflow, which got a critical severity score and can be used by an assailant to jeopardize the Android kernel from the WLAN element.

The scientists notified Google and Qualcomm of the faults and only Android handsets that have not been patched to date with the recent safety updates are presently available for operation.

Qualcomm released an initial device makers ‘ (OEMs) safety newsletter on June 3, which allows them to prepare an Android update for their phones.

The chip maker recommends “end the device users to update as patches become accessible from OEMs.” Despite patches available, a large proportion of devices are likely to stay susceptible as devices may no longer be eligible for supplier updates.

Not all manufacturers are also prepared to upgrade Android when Google releases it. Security updates for phones are commonly seen that are still endorsed by their maker reach devices after weeks.

Full forward disclosure

Tencent’s Blade scientists are planned to present and exploit the technical information of QualPwn bugs at the Black Hat safety meeting on Thursday. A short guide on two vulnerabilities has already been released.

“The subsystems on the Qualcomm platform are protected by the Secure Boot and cannot be touched externally. We will implement the vulnerability discovered in Modem to deflate the Secure Boot and uplift the privilege in the Modem locally, so that we can set up a live debugger for the basic band.”

With the debugger, you can learn the architecture of your scheme, the parts, and how code and information operate. This also permitted them to determine the WLAN firmware attack surface.

The introduction of Black Hat will provide information about the use of the WLAN firmware layer, its modem inclusion as a separate user-space application constraint and modem reach.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.