This article is more than 1 year old

It's 2019 – and you can completely pwn millions of Qualcomm-powered Androids over the air

Grab security patches now from chip designer, Google

Black Hat It is possible to thoroughly hijack a nearby vulnerable Qualcomm-based Android phone, tablet, or similar gadget, via Wi-Fi, we learned on Monday. This likely affects millions of Android devices.

Specifically, the following two security holes, dubbed Qualpwn and found by Tencent's Blade Team, can be leveraged one after the other to potentially take over a handheld:

  • CVE-2019-10540: This buffer-overflow flaw is present in Qualcomm's Wi-Fi controller firmware. It can be exploited by broadcasting maliciously crafted packets of data over the air so that, when they are received by at-risk devices, arbitrary code included in the packets is executed by the controller.

    This injected code runs within the context of the Wi-Fi controller, and can subsequently take over the adjoining cellular broadband modem. Thus, CVE-2019-10540 could be exploited by nearby miscreants over the air to silently squirt spyware into your phone to snoop on its wireless communications.

    There is also, we spotted, a related CVE-2019-10539 buffer-overflow vulnerability in the Wi-Fi firmware that is not referenced by Tencent and not part of the QualPwn coupling.

  • CVE-2019-10538: This vulnerability can be exploited by malicious code running within the Wi-Fi controller to overwrite parts of the Linux kernel running the device's main Android operating system, paving the way for a full device compromise.

    Essentially, CVE-2019-10538 lies in a Qualcomm Linux kernel component for Android. The Wi-Fi firmware is allowed to dictate the amount of data to be passed from the controller to the kernel, when the kernel should really check to make sure it isn't being tricked into overwriting critical parts of its memory. Without these checks, a compromised controller can run roughshod over the core of the Android operating system.

Thus, it is possible for a miscreant to join a nearby wireless network, seek out a vulnerable Qualcomm-powered Android device on the same Wi-Fi network, and send malicious packets over the air to the victim to exploit CVE-2019-10540. Next, the hacker can either compromise the cellular modem and spy on it, and/or exploit CVE-2019-10538 to take over the whole operating system at the kernel level to snoop on the owner's every activity and move.

Both bugs are confirmed by Tencent to exist in Google Pixel 2 and 3 devices, and anything using a Qualcomm Snapdragon 835 and 845. Meanwhile, Qualy, in its own advisory released on Monday, revealed many more of its chips – which are used in hundreds of millions of Android devices – are at risk, all the way up to its top-of-the-line Snapdragon 855. Basically, if your phone or tablet uses a recent Qualcomm chipset, it's probably at risk.


Exposed: Lazy Android mobe makers couldn't care less about security


The good news is that all the bugs have been patched by Qualcomm. CVE-2019-10538 lies within Qualy's open-source Linux kernel driver, and is available from Google. CVE-2019-10539 and CVE-2019-10540 are patched in Qualcomm's closed-source Wi-Fi controller firmware, which was distributed to device makers in June after Tencent privately alerts the chip designer in April.

Now for the bad news. When exactly these fixes will filter down to actual Android users is not clear: if you're using a supported Google-branded device, you should be able to pick up the updates as part of this month's security patch batch. If not, you're at the mercy of your device maker, and possibly cellular operator, to test, approve, and distribute the updates to punters.

Full details on the bugs and how they can be exploited are not public, and no exploits have been spotted in the wild. There is more good news: there are also various security hurdles to clear, within the Linux kernel and the Wi-Fi firmware, such as stack cookies and non-executable data areas before exploitation is successful. In other words, it is non-trivial to exploit Qualpwn, but not impossible.

Tencent's Peter Pi and NCC Group consultant Xiling Gong plan to describe the pair of programming blunders during talks at the Black Hat and DEF CON hacking conferences this week in Las Vegas.

But wait, there's more

Also out this week from Google are more security fixes for various parts of Android. The worst can be exploited by maliciously crafted media messages to take over a device.

Also, as for devices with Broadcom-based Bluetooth electronics: it's possible to pwn the gizmos over the air via malicious data packets, which seems pretty bad and worthy of a story on its own.

Here's a swift summary of the bugs:

  • CVE-2019-2120 in Android runtime "could enable a local attacker to bypass user interaction requirements in order to gain access to additional permissions."
  • CVE-2019-2121, CVE-2019-2122, and CVE-2019-2125 in Framework, with the "most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process."
  • CVE-2019-2126, CVE-2019-2128, CVE-2019-2127, and CVE-2019-2129 in Media Framework, with the "most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process."
  • CVE-2019-2130 to CVE-2019-2137 in System, with "most severe vulnerability in this section could enable a remote attacker using a specially crafted PAC file to execute arbitrary code within the context of a privileged process."
  • CVE-2019-11516 in Broadcom's firmware that "could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process."

There are also a bunch of other Qualcomm bugs (CVE-2019-10492, CVE-2019-10509, CVE-2019-10510, CVE-2019-10499, CVE-2019-10489, and CVE-2019-2294) fixed in the patch batch, from secure boot holes to Bluetooth mishandling.

Again, if you're using an officially supported Google-branded device, you should be getting these updates over the air soon if not already. If you're not, then, well, look for updates soon from your manufacturer and/or cellular network provider, or hope they can be installed automatically via Google Play services if they are not too low level. ®

PS: Google is adding support for Arm's memory-tagging security feature to Android.

More about


Send us news

Other stories you might like