It's 2019 – and you can completely pwn millions of Qualcomm-powered Androids over the air

Grab security patches now from chip designer, Google

Black Hat It is possible to thoroughly hijack a nearby vulnerable Qualcomm-based Android phone, tablet, or similar gadget, via Wi-Fi, we learned on Monday. This likely affects millions of Android devices.

Specifically, the following two security holes, dubbed Qualpwn and found by Tencent's Blade Team, can be leveraged one after the other to potentially take over a handheld:

  • CVE-2019-10540: This buffer-overflow flaw is present in Qualcomm's Wi-Fi controller firmware. It can be exploited by broadcasting maliciously crafted packets of data over the air so that, when they are received by at-risk devices, arbitrary code included in the packets is executed by the controller.

    This injected code runs within the context of the Wi-Fi controller, and can subsequently take over the adjoining cellular broadband modem. Thus, CVE-2019-10540 could be exploited by nearby miscreants over the air to silently squirt spyware into your phone to snoop on its wireless communications.

    There is also, we spotted, a related CVE-2019-10539 buffer-overflow vulnerability in the Wi-Fi firmware that is not referenced by Tencent and not part of the QualPwn coupling.

  • CVE-2019-10538: This vulnerability can be exploited by malicious code running within the Wi-Fi controller to overwrite parts of the Linux kernel running the device's main Android operating system, paving the way for a full device compromise.

    Essentially, CVE-2019-10538 lies in a Qualcomm Linux kernel component for Android. The Wi-Fi firmware is allowed to dictate the amount of data to be passed from the controller to the kernel, when the kernel should really check to make sure it isn't being tricked into overwriting critical parts of its memory. Without these checks, a compromised controller can run roughshod over the core of the Android operating system.

Thus, it is possible for a miscreant to join a nearby wireless network, seek out a vulnerable Qualcomm-powered Android device on the same Wi-Fi network, and send malicious packets over the air to the victim to exploit CVE-2019-10540. Next, the hacker can either compromise the cellular modem and spy on it, and/or exploit CVE-2019-10538 to take over the whole operating system at the kernel level to snoop on the owner's every activity and move.

Both bugs are confirmed by Tencent to exist in Google Pixel 2 and 3 devices, and anything using a Qualcomm Snapdragon 835 and 845. Meanwhile, Qualy, in its own advisory released on Monday, revealed many more of its chips – which are used in hundreds of millions of Android devices – are at risk, all the way up to its top-of-the-line Snapdragon 855. Basically, if your phone or tablet uses a recent Qualcomm chipset, it's probably at risk.


Exposed: Lazy Android mobe makers couldn't care less about security


The good news is that all the bugs have been patched by Qualcomm. CVE-2019-10538 lies within Qualy's open-source Linux kernel driver, and is available from Google. CVE-2019-10539 and CVE-2019-10540 are patched in Qualcomm's closed-source Wi-Fi controller firmware, which was distributed to device makers in June after Tencent privately alerts the chip designer in April.

Now for the bad news. When exactly these fixes will filter down to actual Android users is not clear: if you're using a supported Google-branded device, you should be able to pick up the updates as part of this month's security patch batch. If not, you're at the mercy of your device maker, and possibly cellular operator, to test, approve, and distribute the updates to punters.

Full details on the bugs and how they can be exploited are not public, and no exploits have been spotted in the wild. There is more good news: there are also various security hurdles to clear, within the Linux kernel and the Wi-Fi firmware, such as stack cookies and non-executable data areas before exploitation is successful. In other words, it is non-trivial to exploit Qualpwn, but not impossible.

Tencent's Peter Pi and NCC Group consultant Xiling Gong plan to describe the pair of programming blunders during talks at the Black Hat and DEF CON hacking conferences this week in Las Vegas.

But wait, there's more

Also out this week from Google are more security fixes for various parts of Android. The worst can be exploited by maliciously crafted media messages to take over a device.

Also, as for devices with Broadcom-based Bluetooth electronics: it's possible to pwn the gizmos over the air via malicious data packets, which seems pretty bad and worthy of a story on its own.

Here's a swift summary of the bugs:

  • CVE-2019-2120 in Android runtime "could enable a local attacker to bypass user interaction requirements in order to gain access to additional permissions."
  • CVE-2019-2121, CVE-2019-2122, and CVE-2019-2125 in Framework, with the "most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process."
  • CVE-2019-2126, CVE-2019-2128, CVE-2019-2127, and CVE-2019-2129 in Media Framework, with the "most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process."
  • CVE-2019-2130 to CVE-2019-2137 in System, with "most severe vulnerability in this section could enable a remote attacker using a specially crafted PAC file to execute arbitrary code within the context of a privileged process."
  • CVE-2019-11516 in Broadcom's firmware that "could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process."

There are also a bunch of other Qualcomm bugs (CVE-2019-10492, CVE-2019-10509, CVE-2019-10510, CVE-2019-10499, CVE-2019-10489, and CVE-2019-2294) fixed in the patch batch, from secure boot holes to Bluetooth mishandling.

Again, if you're using an officially supported Google-branded device, you should be getting these updates over the air soon if not already. If you're not, then, well, look for updates soon from your manufacturer and/or cellular network provider, or hope they can be installed automatically via Google Play services if they are not too low level. ®

PS: Google is adding support for Arm's memory-tagging security feature to Android.

Other stories you might like

  • It's the flu season – FluBot, that is: Surge of info-stealing Android malware detected

    And a bunch of bank-account-raiding trojans also identified

    FluBot, a family of Android malware, is circulating again via SMS messaging, according to authorities in Finland.

    The Nordic country's National Cyber Security Center (NCSC-FI) lately warned that scam messages written in Finnish are being sent in the hope that recipients will click the included link to a website that requests permission to install an application that's malicious.

    "The messages are written in Finnish," the NCSC-FI explained. "They are written without Scandinavian letters (å, ä and ö) and include, for example, the characters +, /, &, % and @ in illogical places in the text to make it more difficult for telecommunications operators to filter the messages. The theme of the text may be that the recipient has received a voicemail message or a message from their mobile operator."

    Continue reading
  • AsmREPL: Wing your way through x86-64 assembly language

    Assemblers unite

    Ruby developer and internet japester Aaron Patterson has published a REPL for 64-bit x86 assembly language, enabling interactive coding in the lowest-level language of all.

    REPL stands for "read-evaluate-print loop", and REPLs were first seen in Lisp development environments such as Lisp Machines. They allow incremental development: programmers can write code on the fly, entering expressions or blocks of code, having them evaluated – executed – immediately, and the results printed out. This was viable because of the way Lisp blurred the lines between interpreted and compiled languages; these days, they're a standard feature of most scripting languages.

    Patterson has previously offered ground-breaking developer productivity enhancements such as an analogue terminal bell and performance-enhancing firmware for the Stack Overflow keyboard. This only has Ctrl, C, and V keys for extra-easy copy-pasting, but Patterson's firmware removes the tedious need to hold control.

    Continue reading
  • Microsoft adds Buy Now, Pay Later financing option to Edge – and everyone hates it

    There's always Use Another Browser

    As the festive season approaches, Microsoft has decided to add "Buy Now, Pay Later" financing options to its Edge browser in the US.

    The feature turned up in recent weeks, first in beta and canary before it was made available "by default" to all users of Microsoft Edge version 96.

    The Buy Now Pay Later (BNPL) option pops up at the browser level (rather than on checkout at an ecommerce site) and permits users to split any purchase between $35 and $1,000 made via Edge into four instalments spread over six weeks.

    Continue reading

Biting the hand that feeds IT © 1998–2021