screw Qualcomm, what one wants is should work out of the box with recent Linux kernels on Open Source drivers only:
as far as i understand this… if you are concerned about the security of your phone… (banking apps… bitcoin wallets… but of course also in theory ransomeware for smart phones… encrypting all pictures etc.) better do not connect to untrusted wifis, have wifi usage turned off when you leave the house.
problem of course: can you trust then pulic wifis?
“A series of critical vulnerabilities have been discovered in Qualcomm chipsets that could allow hackers to compromise Android devices remotely just by sending malicious packets over-the-air with no user interaction.
Discovered by security researchers from Tencent’s Blade team, the vulnerabilities, collectively known as QualPwn, reside in the WLAN and modem firmware of Qualcomm chipsets that powers hundreds of millions of Android smartphones and tablets.
According to researchers, there are primarily two critical vulnerabilities in Qualcomm chipsets and one in the Qualcomm’s Linux kernel driver for Android which if chained together could allow attackers to take complete control over targeted Android devices within their Wi-Fi range.
“One of the vulnerabilities allows attackers to compromise the WLAN and Modem over-the-air. The other allows attackers to compromise the Android Kernel from the WLAN chip. The full exploit chain allows attackers to compromise the Android Kernel over-the-air in some circumstances,” researchers said in a blog post.
The vulnerabilities in question are:
- CVE-2019-10539 (“Buffer Copy Without Checking Size of Input in WLAN” Compromising WLAN) — The first flaw is a buffer overflow issue that resides in the Qualcomm WLAN firmware due to lack of length check when parsing the extended cap IE header length.
- CVE-2019-10540 (WLAN into Modem issue) — The second issue is also a buffer-overflow flaw that also resides in the Qualcomm WLAN firmware and affects its neighborhood area network (NAN) function due to lack of check of count value received in NAN availability attribute.
- CVE-2019-10538 (Modem into Linux Kernel issue) — The third issue lies in Qualcomm’s Linux kernel driver for Android that can be exploited by subsequently sending malicious inputs from the Wi-Fi chipset to overwrite parts of Linux kernel running the device’s main Android operating system.
Once compromised, the kernel gives attackers full system access, including the ability to install rootkits, extract sensitive information, and perform other malicious actions, all while evading detection.
Though Tencent researchers tested their QualPwn attacks against Google Pixel 2 and Pixel 3 devices that are running on Qualcomm Snapdragon 835 and Snapdragon 845 chips, the vulnerabilities impact many other chipsets, according to an advisory published by Qualcomm.
“IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA8081, QCA9379, QCS404, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130”
Researchers discovered the QualPwn vulnerabilities in February and March this year and responsibly reported them to Qualcomm, who then released patches in June and notified OEMs, including Google and Samsung.
Google just yesterday released security patches for these vulnerabilities as part of its Android Security Bulletin for August 2019. So, you are advised to download the security patches as soon as they are available
Since Android phones are infamously slow to get patch updates, researchers have decided not to disclose complete technical details or any PoC exploit for these vulnerabilities anytime soon, giving end-users enough time to receive updates from their device manufacturers.
(5) Is there a workaround/fix?
We have reported all the details of the vulnerabilities to Google and Qualcomm who are have issued fixes. Qualcomm released a security bulletin to OEMs on 2019-6-03 describing the issues and requesting the OEMs to download and incorporate appropriate patches. Please check the security bulletin of Google and Qualcomm for further information and update.
Android security bulletin: https://source.android.com/security/bulletin/2019-08-01
Qualcomm security bulletin: https://www.qualcomm.com/company/product-security/bulletins
“In this talk, we will share our research in which we successfully exploit Qualcomm WLAN in FIRMWARE layer, break down the isolation between WLAN and Modem, and then fully control the Modem over the air.
Setting up the real-time debugger is the key. Without the debugger, it’s difficult to inspect the program flow and runtime status. On the Qualcomm platform, subsystems are protected by the Secure Boot and unable to be touched externally. We’ll introduce the vulnerability we found in Modem to defeat the Secure Boot and elevate privilege into Modem locally so that we can setup the live debugger for baseband.
The Modem and WLAN firmware is quite complex and reverse engineering is a tough work. Thanks to the debugger, we finally figured out the system architecture, the components, the program flow, the data flow, and the attack surfaces of WLAN firmware. We’ll share these techniques in detail, along with the zero-days we found on the attack surfaces.
There are multiple mitigations on Qualcomm baseband, including DEP, stack protection, heap cookie, system call constraint, etc. All the details of the exploitation and mitigation bypassing techniques will be given during the presentation.
Starting from Snapdragon 835, WLAN firmware is integrated into the Modem subsystem as an isolated user space application constraint. We’ll discuss these constraints, and then leverage the weakness we found to fully exploit Modem.”
Xiling Gong is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google and Qualcomm. He is the speaker of CanSecWest 2018.
Peter Pi is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google, Microsoft, Apple, Qualcomm, Adobe and Tesla. He was the #1 researcher of Google Android VRP in year 2016. He has spoken at many famous security conferences such as BlackHat, CanSecWest, HITB GSEC and Hitcon.