QualPwn is a new exploit for Qualcomm Snapdragon chips, here's what you need to know

Qualcomm generic logo
Qualcomm generic logo (Image credit: Harish Jonnalagadda / Android Central)

Your phone is built from a myriad of assorted parts, and many of them are "smart" and have their own built-in processors and firmware. That means there are plenty of places for bugs or vulnerabilities to be found that would allow a bad actor to have access to things they shouldn't. The companies who make these parts are always trying to improve and harden things to prevent it, but it's impossible for them to find everything before a component leaves the lab and ends up on the assembly line.

Most exploits are patched before anyone knows they exist, but some make it through.

This makes finding these bugs and vulnerabilities an industry in its own right. At DEFCON 27 and Black Hat 2019, huge venues where exploits are made public and demonstrated (and hopefully, patched), a vulnerability in Qualcomm chips has been announced by the Tencent Blade Team that would allow an attacker to gain access through the kernel and potentially get into your phone and cause harm. The good news is that it was responsibly announced and Qualcomm worked with Google to fix the issue with the August 2019 Android Security Bulletin.

Here's everything you need to know about QualPwn.

What is QualPwn?

Besides being a funny name, QualPwn describes a vulnerability in Qualcomm chips that would allow an attacker to compromise a phone via the WLAN (Wireless Local Area Network) and cell Modem remotely. The Qualcomm platform is protected by Secure Boot, but QualPwn defeats Secure Boot and gives an attacker access to the modem so that debugging tools can be loaded and the baseband can be controlled.

Once that happens, it's possible an attacker can exploit the kernel that Android runs atop of and gain elevated privileges — they can have access to your personal data.

We don't have all the details about how this would happen or how easy it would be, but those are coming during Tencent Blade's Black Hat 2019 and DEFCON 27 presentations.

What is a WLAN?

WLAN stands for Wireless Local Area Network and it's a catch-all name for any group of devices — including mobile phones — that communicate with each other wirelessly. A WLAN can use Wi-Fi, cellular, broadband, Bluetooth or any other wireless type to communicate and it's always been a honeypot for people looking for exploits.

Because so many different device types can be part of a WLAN, there are very specific standards about how a connection is created an maintained. Your phone, including components like Qualcomm's chips, need to incorporate and follow these standards. As standards advance and new hardware is created, bugs and vulnerabilities in how connections are created can happen.

Has QualPWN been fixed?

Yes. The Android Security Bulletin for August 2019 has all the code needed to patch affected devices from Qualcomm. Once your phone gets the August 2019 patch you're safe.

What devices are affected?

The Tencent Blade Team didn't test every phone using a Qualcomm chip, just the Pixel 2 and Pixel 3. Both were vulnerable, so all phones running on the Snapdragon 835 and 845 platforms are probably affected at a minimum. The code used to patch QualPwn can be applied to any phone running a Qualcomm processor and Android 7.0 or higher.

Until all the details are released, it's safe to assume that all modern Snapdragon chipsets should be considered at risk until patched.

Has QualPwn been used in the real world?

This exploit was responsibly disclosed to Google in March of 2019, and once verified it was forwarded to Qualcomm. Qualcomm notified its partners and sent out the code to patch it in June of 2019, and every piece of the chain was patched with the code used in the August 2019 Android Security Bulletin.

No instances of QualPwn being exploited in the wild have been reported. Qualcomm also issued the following statement regarding the issue:

Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Tencent for using industry-standard coordinated disclosure practices through our Vulnerability Rewards Program. Qualcomm Technologies has already issued fixes to OEMs, and we encourage end users to update their devices as patches become available from OEMs.

What should I do until I get the patch?

There really isn't anything you can do right now. The issues have been marked as Critical by Google and Qualcomm and were promptly patched, so right now you have to wait for the company that made your phone to get it to you. Pixel phones, like the Pixel 2 and 3, along with some others from Essential and OnePlus, already have the patch available. Others from Samsung, Motorola, LG and others will likely take a few days to a few weeks to be pushed to phones.

In the meantime, follow the same best practices you should always be using:

  • Always use a strong lock screen
  • Never follow a link from someone you don't know and trust
  • Never submit any personal details to websites or apps that you don't trust
  • Never give your Google password to anyone besides Google
  • Never reuse passwords
  • Always use a good password manager
  • Use two-factor authentication whenever you can

More: Best Password Managers for Android in 2019

These practices may not prevent an exploit of this nature, but they can mitigate the damage if someone were to get a few of your personal details. Don't make it easy for the bad guys.

More information is coming

As mentioned, the Tencent Blade Team will be releasing all the details about QualPwn during upcoming presentations at both Black Hat 2019 and DEFCON 27. These conferences are centered on electronic device security and often are used to detail exploits like this.

Once Tencent Blade provides more details, we'll know more about what we can do to mitigate any risks with our own phones.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.