Samsung, Google patch QualPwn bugs that allow over-the-air attacks

Samsung and Google have released security updates to address critical flaws affecting Android devices with certain Qualcomm chips.

The trio of bugs, dubbed QualPwn by researchers at Tencent Blade Team, could be used by an attacker to compromise the Android kernel over-the-air without user interaction. 

The researchers, who will detail the attack at Black Hat, tested the bugs against Google Pixel 2 and Pixel 3 phones, but they note that any phones powered by Qualcomm’s Snapdragon 835 or 845 chipsets may be vulnerable. 

Google has released security updates that address the flaws and other Android flaws in the August update. It rates two of the Qualcomm flaws as “critical” and a third as a “high” severity issue. 

Samsung has also incorporated Google’s fixes for QualPwn bugs in its monthly update for Galaxy phones

The two critical flaws affect Qualcomm’s WLAN firmware, which can be used to compromise the WLAN chip and the modem. Another allows an attacker to compromise the Android kernel from the WLAN chip. 

Qualcomm describes both critical bugs as buffer flow issues and notes that they affect dozens of Snapdragon models, as well as several system on chips (SoCs) designed for IoT devices, such as cameras and home security products. Also affected are its SoCs for vehicle infotainment systems.  

The bugs have been assigned the identifiers CVE-2019-10539, CVE-2019-10540 and CVE-2019-10538, however the last one is only listed on Google’s bulletin. 

Fortunately, the Tencent researchers report that Qualcomm issued fixes to OEMs in June. They’re also not aware of any publicly available exploit code for the vulnerabilities. 

On a teaser for the researchers’ presentation at BlackHat this week, they explain that they used the flaw in the modem in order to defeat Qualcomm’s Secure Boot technology, a boot sequence that aims to ensure all software images that are loaded are authenticated and not malicious. 

After defeating Secure Boot they could elevate privileges into the modem locally, allowing them to setup a live debugger to probe Qualcomm’s baseband. 

The Tencent researchers last year showed off its ModKit debugger to target the Qualcomm baseband. 

Tags bugscritical flaws

Show Comments