QualPwn Overview: New vulnerability may affect more than the Snapdragon 835 and 845
Over the years, we’ve seen a number of scary Linux-based exploits make the spotlight. We’ve seen Stagefright, RAMpage, and Cloak and Dagger, just to name a few. When both OnePlus and Xiaomi decided to release their security updates early, some predicted that there was a major exploit getting patched with this month’s security patches. Those people were right: Researchers at the Tencent Blade Team discovered a critical vulnerability that is confirmed to affect all devices with either the Qualcomm Snapdragon 835 or the Qualcomm Snapdragon 845. Dubbed, “QualPwn,” the attack allows for remote exploitation of affected devices, and the fact that it affects devices with two popular chipsets resulted in it quickly making the rounds on the Internet. However, this attack potentially affects many more chipsets, so your device could be vulnerable too.
Qualcomm issued the following statement regarding this matter:
“Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Tencent for using industry-standard coordinated disclosure practices through our Vulnerability Rewards Program. Qualcomm Technologies has already issued fixes to OEMs, and we encourage end users to update their devices as patches become available from OEMs.”
QualPwn – an overview
First and foremost, it’s worth noting that although this is considered a remote exploit, the exploit relies on the device and attacker being on the same network. You cannot attack any affected device strictly over the Internet, which means that the best way to protect yourself is to not use untrusted wireless networks. Therein lies the problem, though. Anybody on the network you’re on can theoretically attack your device without any user interaction whatsoever. All devices with the Qualcomm Snapdragon 835 or Snapdragon 845 chipsets are affected, unless they have the August 2019 security patch. Even still, according to the white paper submitted by Tencent Blade for Blackhat, the exploit still hasn’t been completely fixed.
Curiously, Qualcomm’s security bulletin detailing the issues that they fixed in the past month has a list of chipsets that’s far more comprehensive than just the Snapdragon 835 and Snapdragon 845. Just take a look below.
- Snapdragon 636
- Snapdragon 665
- Snapdragon 675
- Snapdragon 712 / Snapdragon 710 / Snapdragon 670
- Snapdragon 730
- Snapdragon 820
- Snapdragon 835
- Snapdragon 845 / SD 850
- Snapdragon 855
- Snapdragon 8CX
- Snapdragon 660 Development Kit
- Snapdragon 630
- Snapdragon 660
- Snapdragon 820 Automotive
This entire list is what Qualcomm claims to have patched, meaning that pretty much any device with a chipset from the company released in the past two years is theoretically vulnerable. No public exploits have been found in the wild for any of these chipsets (including those tested by the Tencent Blade team), but it’s scary that such a huge amount of devices could potentially be vulnerable.
I did some digging and discovered that in the past, Qualcomm has been known to create security patches for major issues and even distribute them to some devices that aren’t affected by a particular bug, just in the interest of safety. It’s possible that has occurred for some of the chipsets listed here, but it’s also possible that the majority are theoretically vulnerable. So what can you do?
Thankfully, this bug hasn’t really been exploited in the wild, and it would require a huge number of theoretical conditions to come true before any of your data is at risk. You would need to connect to the same WiFi network as somebody who has knowledge of the exploit and knows how to abuse it (despite there being no public way of doing so at the time of writing). What’s more, the exploit is already fixed if your device has the August 2019 security patch, so interest will quickly die down amongst would-be exploiters. This bug may be why OnePlus rushed to publish the August security patches early, as the patches themselves weren’t under embargo, only the details of the exploits themselves were.
Nevertheless, this is still a critical security flaw and one that shouldn’t just be ignored. The fixes are in the hands of OEMs now, and there’s not a whole lot more that Qualcomm can actually do. If you can’t get over the list of potentially affected chipsets and you have no way of getting the latest security patches, then the only thing you can do is buy a new smartphone.
What is QualPwn?
To spare you the gory details, QualPwn exploits WLAN interfaces on a given Qualcomm chipset to give an attacker control over the modem. From there, the kernel can be attacked and potentially get exploited by an attacker as well, who can then potentially gain full root access to someone else’s device. Anything could then be installed by a would-be attacker, compromising your data as a result. It could theoretically be used to gain root access on your own device, although there will need to be a lot of work put in to make that actually happen.