Samsung, Google patch QualPwn bugs that allow over-the-air attacks

Samsung and Google have released security updates to address critical flaws affecting Android devices with certain Qualcomm chips.

The trio of bugs, dubbed QualPwn by researchers at Tencent Blade Team, could be used by an attacker to compromise the Android kernel over-the-air without user interaction. 

The researchers, who will detail the attack at Black Hat, tested the bugs against Google Pixel 2 and Pixel 3 phones, but they note that any phones powered by Qualcomm’s Snapdragon 835 or 845 chipsets may be vulnerable. 

Google has released security updates that address the flaws and other Android flaws in the August update. It rates two of the Qualcomm flaws as “critical” and a third as a “high” severity issue. 

Samsung has also incorporated Google’s fixes for QualPwn bugs in its monthly update for Galaxy phones

The two critical flaws affect Qualcomm’s WLAN firmware, which can be used to compromise the WLAN chip and the modem. Another allows an attacker to compromise the Android kernel from the WLAN chip. 

Qualcomm describes both critical bugs as buffer flow issues and notes that they affect dozens of Snapdragon models, as well as several system on chips (SoCs) designed for IoT devices, such as cameras and home security products. Also affected are its SoCs for vehicle infotainment systems.  

The bugs have been assigned the identifiers CVE-2019-10539, CVE-2019-10540 and CVE-2019-10538, however the last one is only listed on Google’s bulletin. 

Fortunately, the Tencent researchers report that Qualcomm issued fixes to OEMs in June. They’re also not aware of any publicly available exploit code for the vulnerabilities. 

On a teaser for the researchers’ presentation at BlackHat this week, they explain that they used the flaw in the modem in order to defeat Qualcomm’s Secure Boot technology, a boot sequence that aims to ensure all software images that are loaded are authenticated and not malicious. 

After defeating Secure Boot they could elevate privileges into the modem locally, allowing them to setup a live debugger to probe Qualcomm’s baseband. 

The Tencent researchers last year showed off its ModKit debugger to target the Qualcomm baseband. 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags bugscritical flaws

More about GalaxyGoogleQualcommSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts