QualPwn is a set of vulnerabilities found in Qualcomm Snapdragon 835 and 845 chips. One vulnerability compromises your phone’s WLAN and Modem over-the-air. The other can open backdoors for attackers to the Android Kernel from the WLAN chip. It was first identified by Tencent Blade Team and they have published their findings in BlackHat USA 2019 and DEFCON 27. Due to Non-Disclosure Clause, the nitty-gritty of the vulnerability isn’t revealed. That said, they have reported that the vulnerability hasn’t so far been exploited in the wild.

  • QualPwn is a set of two vulnerabilities.
  • These vulnerabilities (CVE-2019-10538 and CVE-2019-10540) are both caused due to a buffer overflow.

The Android Security Bulletin for August 2019 has issued security patches for two dangerous vulnerabilities affecting devices with Qualcomm chips. These two flaws are collectively known as QualPwn and allow attackers to compromise the WLAN and Android kernel over-the-air.

What is QualPwn?

Besides being a funny name, QualPwn describes a vulnerability in Qualcomm chips that would allow an attacker to compromise a phone via the WLAN (Wireless Local Area Network) and cell Modem remotely. The Qualcomm platform is protected by Secure Boot, but QualPwn defeats Secure Boot and gives an attacker access to the modem so that debugging tools can be loaded and the baseband can be controlled.

Once that happens, it’s possible an attacker can exploit the kernel that Android runs atop of and gain elevated privileges — they can have access to your personal data.

We don’t have all the details about how this would happen or how easy it would be, but those are coming during Tencent Blade’s Black Hat 2019 and DEFCON 27 presentations.

To spare you the gory details, QualPwn exploits WLAN interfaces on a given Qualcomm chipset to give an attacker control over the modem. From there, the kernel can be attacked and potentially get exploited by an attacker as well, who can then potentially gain full root access to someone else’s device. Anything could then be installed by a would-be attacker, compromising your data as a result. It could theoretically be used to gain root access on your own device, although there will need to be a lot of work put in to make that actually happen.

What is a WLAN?

WLAN stands for Wireless Local Area Network and it’s a catch-all name for any group of devices — including mobile phones — that communicate with each other wirelessly. A WLAN can use Wi-Fi, cellular, broadband, Bluetooth or any other wireless type to communicate and it’s always been a honeypot for people looking for exploits.

Because so many different device types can be part of a WLAN, there are very specific standards about how a connection is created an maintained. Your phone, including components like Qualcomm’s chips, needs to incorporate and follow these standards. As standards advance and new hardware is created, bugs and vulnerabilities in how connections are created can happen

What are the two flaws?

According to Tencent Blade, QualPwn is a set of two vulnerabilities. These vulnerabilities are CVE-2019-10538 and CVE-2019-10540. While the former is a high severity bug, the latter has received a critical severity rating.

  • The CVE-2019-10538 is a buffer overflow vulnerability that impacts the Qualcomm WLAN component and the Android Kernel. The flaw can be exploited by sending specially-crafted packets to a device’s WLAN interface. This allows attackers to run malicious code with kernel privileges.
  • The CVE-2019-10540 is another buffer overflow vulnerability that affects the Qualcomm WLAN and modem firmware. The flaw can be abused by sending specially-crafted packets to an Android device modem. This flaw also allows threat actors to execute code on the device.

What are the affected devices?

Researchers note that unpatched phones using Qualcomm Snapdragon 835 and Snapdragon 845 chips are vulnerable to QualPwn.

However, in its security advisory, Qualcomm has posted that the second vulnerability of QualPwn that affects many other chipsets including: IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712, SD 710, SD 670, SD 730, SD 820, SD 835, SD 845, SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, and SXR1130.

Addressing the issues

The first issue has been patched with a code fix in the Android operating system source code, while the second bug has been patched with a code fix in Qualcomm’s closed source firmware that is shipped in a limited set of devices.

What devices are affected?

The Tencent Blade Team didn’t test every phone using a Qualcomm chip, just the Pixel 2 and Pixel 3. Both were vulnerable, so all phones running on the Snapdragon 835 and 845 platforms are probably affected at a minimum. The code used to patch QualPwn can be applied to any phone running a Qualcomm processor and Android 7.0 or higher.

Until all the details are released, it’s safe to assume that all modern Snapdragon chipsets should be considered at risk until patched.

Has QualPwn been used in the real world?

This exploit was responsibly disclosed to Google in March of 2019, and once verified it was forwarded to Qualcomm. Qualcomm notified its partners and sent out the code to patch it in June of 2019, and every piece of the chain was patched with the code used in the August 2019 Android Security Bulletin.

No instances of QualPwn being exploited in the wild have been reported. Qualcomm also issued the following statement regarding the issue:

Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Tencent for using industry-standard coordinated disclosure practices through our Vulnerability Rewards Program. Qualcomm Technologies has already issued fixes to OEMs, and we encourage end users to update their devices as patches become available from OEMs.

What should I do until I get the patch?

There really isn’t anything you can do right now. The issues have been marked as Critical by Google and Qualcomm and were promptly patched, so right now you have to wait for the company that made your phone to get it to you. Pixel phones, like the Pixel 2 and 3, along with some others from Essential and OnePlus, already have the patch available. Others from Samsung, Motorola, LG, and others will likely take a few days to a few weeks to be pushed to phones.

In the meantime, follow the same best practices you should always be using:

  • Always use a strong lock screen
  • Never follow a link from someone you don’t know and trust
  • Never submit any personal details to websites or apps that you don’t trust
  • Never give your Google password to anyone besides Google
  • Never reuse passwords
  • Always use a good password manager
  • Use two-factor authentication whenever you can

Mitigation :

Thankfully, this bug hasn’t really been exploited in the wild, and it would require a huge number of theoretical conditions to come true before any of your data is at risk. You would need to connect to the same WiFi network as somebody who has knowledge of the exploit and knows how to abuse it (despite there being no public way of doing so at the time of writing). What’s more, the exploit is already fixed if your device has the August 2019 security patch, so interest will quickly die down amongst would-be exploiters. This bug may be why OnePlus rushed to publish the August security patches early, as the patches themselves weren’t under embargo, only the details of the exploits themselves were.

Nevertheless, this is still a critical security flaw and one that shouldn’t just be ignored. The fixes are in the hands of OEMs now, and there’s not a whole lot more than Qualcomm can actually do. If you can’t get over the list of potentially affected chipsets and you have no way of getting the latest security patches, then the only thing you can do is buy a new smartphone.