Jump to content

QualPwn - Taking over Android via Snapdragon

justpoet
 Share
Posted

This is a couple days late, but I figured it was worth putting here since I haven't seen it yet.

TLDR: Bad remote exploit, fixed in latest patch.

 

Quote

Two serious vulnerabilities in Qualcomm's Snapdragon system-on-a-chip (SoC) WLAN firmware could be leveraged to compromise the modem and the Android kernel over the air.

The flaws were found in Qualcomm's Snapdragon 835 and 845 WLAN component. The tests were made on Google Pixel 2 and 3

 

https://www.bleepingcomputer.com/news/security/qualpwn-bugs-in-snapdragon-soc-can-attack-android-over-the-air/

 

Licensees were informed in June that this was an issue and that software patches would be forthcoming.  Those went out in the latest Android update.  So, it you can, update.  This is also a good reason to be on a properly supported phone, rather than just a cheap Android or one that is stuck on a carrier based OS variant.  Pointed out in a little more roundabout way from the article.

Quote

The chip maker advises "end users to update their devices as patches become available from OEMs."  Despite patches being available, a high number of phones is likely to remain vulnerable for a long time as the devices may no longer be eligible for updates from the vendor.  Also, not all makers are ready to push the Android update when Google releases it. It is common to see security updates for phones still supported by their maker reach devices with weeks of delay.

 

For those interested in further details, and possibly other related exploits, more should become available at blackhat tomorrow.

https://www.blackhat.com/us-19/briefings/schedule/index.html#exploiting-qualcomm-wlan-and-modem-over-the-air-15481

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

If I remember correctly these patches were in the August 1st security patch.

 

If you have an Android phone initially released from November 2017 to Janurary 2019 you are likely affected.
 

You can check if you're affected by going to Settings -> System -> About Phone -> Android Security Patch level. Anything older than Aug 1, 2019 is affected.

 

The unfortunate thing about this is most of these phones are over a year old and are unlikely to get patched by Vendors and even those that do will usually have at least a 3 month delay.

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×