Vulnerabilities

Critical vulnerabilities affecting Snapdragon 835 and 845

Multiple Linux-based exploits have caught the attention of vulnerability testing experts over the more recent years, such as the dangerous Stagefright, RAMpage and Dagger. Recently, smartphone manufacturers Xiaomi and OnePlus released some security updates unexpectedly and early, a fact that triggered alarms at the possible existence of a serious vulnerability.

In the end these assumptions were right, as
security firm Tencent reported a critical vulnerability affecting devices using
Qualcomm
Snapdragon 835 and Snapdragon 845 chipsets.

The attack, dubbed by experts as ‘QualPwn’,
allows remote exploitation of compromised devices and, according to
vulnerability testing experts, not only affects the two chipset models
mentioned above, but also could be extended to other chip families, increasing
the danger of this vulnerability. QualPwn exploits WLAN interfaces on
Qualcomm’s chipsets to grant hackers control over a modem, this would allow
kernel attacks or root access to the victim’s device.

Although this is a remote execution flaw, the
exploit lies on the device, in addition to the potential attacker being on the
same network. “You can’t attack any compromised device strictly over the
Internet, so the best way to prevent these attacks is not to use unsecured
wireless networks,” the experts mention.

However, this is also the main avenue of attack. Virtually anyone on the network could attack a device without user interaction; In addition, any computer with Snapdragon 835 or Snapdragon 845 is exposed if you don’t have the August 2019 security patch installed. As if that wasn’t enough, Tencent’s vulnerability analysis experts say this update does not fully fix the vulnerability.

Last month Qualcomm released a list of updates
for more than 20 chipsets, including Snapdragon. In other words, any chip
system released by the company over the last two years could be vulnerable to
this error. Although no cases of exploitation have been detected in real-world
environments, the potential risk is enormous, experts consider.

Fortunately it’s not all bad news; in addition
to no reported cases of exploitation, it has been reported that this scenario
would require multiple preconditions to be met, so the complexity of this
attack is considerably high. Another factor that helps users is the timely
release of the security patch, because while it is not a definitive solution,
it could help discourage attempts to exploit this flaw.

Despite its exploitation being a very small
possibility, QualPwn remains a critical vulnerability that should not escape
the attention of the cybersecurity community. Experts in vulnerability testing
from the International Institute of Cyber Security (IICS) mention that the
solution is in the hands of the manufacturer companies, although once they are
discovered these flaws can be done very little, in addition to launching
Updates. In case the user is unable to upgrade their chipset, it may be best to
buy a new phone.

However, this is also the main attack vector.
Virtually anyone on the network could attack a device without user interaction;
in addition, any device with Snapdragon 835 or Snapdragon 845 is exposed if you
don’t have the August 2019 security patch installed. As if that wasn’t enough,
Tencent’s vulnerability testing experts say this update does not fully fix the
vulnerability.

Last month Qualcomm released a list of updates
for more than 20 chipset, including Snapdragon. In other words, any chipset
released by the company over the last two years could be vulnerable to this
error. Although no cases of exploitation have been detected in the wild, the
potential risk is enormous, experts consider.

Fortunately it’s not all bad news; in addition
to no reported cases of exploitation, it has been reported that this scenario
would require multiple preconditions to be met, so the complexity of this
attack is considerably high. Another factor that helps users is the timely
release of the security patch, because while it is not a definitive solution,
it could help discourage attempts to exploit this flaw.

Despite its exploitation being a very small
possibility, QualPwn remains a critical vulnerability that should not escape
the attention of the cybersecurity community. Experts in vulnerability testing
from the International Institute of Cyber Security (IICS) mention that the
solution is in the hands of the manufacturer companies, although once they are
discovered these flaws can be done very little, in addition to launching
Updates. In case the user is unable to upgrade their chipset, it may be best to
buy a new phone.

To Top

Pin It on Pinterest

Share This