QualPwn is a new exploit for Qualcomm Snapdragon chips, here's what you need to know
Your phone is built from a myriad of assorted parts, and many of them are "smart" and have their own built-in processors and firmware. That means there are plenty of places for bugs or vulnerabilities to be found that would allow a bad actor to have access to things they shouldn't. The companies who make these parts are always trying to improve and harden things to prevent it, but it's impossible for them to find everything before a component leaves the lab and ends up on the assembly line.
This makes finding these bugs and vulnerabilities an industry in its own right. At DEFCON 27 and Black Hat 2019, huge venues where exploits are made public and demonstrated (and hopefully, patched), a vulnerability in Qualcomm chips has been announced by the Tencent Blade Team that would allow an attacker to gain access through the kernel and potentially get into your phone and cause harm. The good news is that it was responsibly announced and Qualcomm worked with Google to fix the issue with the August 2019 Android Security Bulletin.
Here's everything you need to know about QualPwn.
What is QualPwn?
Besides being a funny name, QualPwn describes a vulnerability in Qualcomm chips that would allow an attacker to compromise a phone via the WLAN (Wireless Local Area Network) and cell Modem remotely. The Qualcomm platform is protected by Secure Boot, but QualPwn defeats Secure Boot and gives an attacker access to the modem so that debugging tools can be loaded and the baseband can be controlled.
Once that happens, it's possible an attacker can exploit the kernel that Android runs atop of and gain elevated privileges — they can have access to your personal data.
We don't have all the details about how this would happen or how easy it would be, but those are coming during Tencent Blade's Black Hat 2019 and DEFCON 27 presentations.
What is a WLAN?
WLAN stands for Wireless Local Area Network and it's a catch-all name for any group of devices — including mobile phones — that communicate with each other wirelessly. A WLAN can use Wi-Fi, cellular, broadband, Bluetooth or any other wireless type to communicate and it's always been a honeypot for people looking for exploits.
Because so many different device types can be part of a WLAN, there are very specific standards about how a connection is created an maintained. Your phone, including components like Qualcomm's chips, need to incorporate and follow these standards. As standards advance and new hardware is created, bugs and vulnerabilities in how connections are created can happen.
Has QualPWN been fixed?
Yes. The Android Security Bulletin for August 2019 has all the code needed to patch affected devices from Qualcomm. Once your phone gets the August 2019 patch you're safe.
What devices are affected?
The Tencent Blade Team didn't test every phone using a Qualcomm chip, just the Pixel 2 and Pixel 3. Both were vulnerable, so all phones running on the Snapdragon 835 and 845 platforms are probably affected at a minimum. The code used to patch QualPwn can be applied to any phone running a Qualcomm processor and Android 7.0 or higher.
Until all the details are released, it's safe to assume that all modern Snapdragon chipsets should be considered at risk until patched.
Has QualPwn been used in the real world?
This exploit was responsibly disclosed to Google in March of 2019, and once verified it was forwarded to Qualcomm. Qualcomm notified its partners and sent out the code to patch it in June of 2019, and every piece of the chain was patched with the code used in the August 2019 Android Security Bulletin.
No instances of QualPwn being exploited in the wild have been reported. Qualcomm also issued the following statement regarding the issue:
What should I do until I get the patch?
There really isn't anything you can do right now. The issues have been marked as Critical by Google and Qualcomm and were promptly patched, so right now you have to wait for the company that made your phone to get it to you. Pixel phones, like the Pixel 2 and 3, along with some others from Essential and OnePlus, already have the patch available. Others from Samsung, Motorola, LG and others will likely take a few days to a few weeks to be pushed to phones.
In the meantime, follow the same best practices you should always be using:
- Always use a strong lock screen
- Never follow a link from someone you don't know and trust
- Never submit any personal details to websites or apps that you don't trust
- Never give your Google password to anyone besides Google
- Never reuse passwords
- Always use a good password manager
- Use two-factor authentication whenever you can
More: Best Password Managers for Android in 2019
These practices may not prevent an exploit of this nature, but they can mitigate the damage if someone were to get a few of your personal details. Don't make it easy for the bad guys.
More information is coming
As mentioned, the Tencent Blade Team will be releasing all the details about QualPwn during upcoming presentations at both Black Hat 2019 and DEFCON 27. These conferences are centered on electronic device security and often are used to detail exploits like this.
Once Tencent Blade provides more details, we'll know more about what we can do to mitigate any risks with our own phones.
Get the Android Central Newsletter
Instant access to breaking news, the hottest reviews, great deals and helpful tips.
Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.
Welp at least the Pixel owners and a scant few other are good. 🤣🤣🤣🤣
My Galaxy S10e is safe, too.
My Note 9 won't be safe until next month, at least.
It'll be about 3 weeks until my Nokia 7.1 is secure.
There's probably not even a one in a million chance of this actually happening. I just don't think I'm that special.
These days we have to expect that everyone has been hacked, but not everyone is aware. It doesn't matter how big or small of a public profile someone has if a script can be easily dispersed. Cast a wide net and see what you get.
My unlocked Galaxy S10+ is definitely vulnerable running May's security patch.
Check for an update. My S8+ ans S7 just got July's security update. Hopefully the August update arrives faster.
Wasn't it industry practice to give 90 days to fix or 1 week after patch is available, whichever is shorter? I'd guess if it was responsibly disclosed in March we should have all the details in June.
Would be great if the rom community could use this to unlock US Samsung phones.