Skip to main content

Vulnerability in Snapdragon chips, ‘QualPwn,’ fixed with August security patch

Avatar for Kyle Bradshaw  | Aug 6 2019 - 7:47 am PT
0 Comments
Qualcomm

When it comes to Android’s monthly security updates, some months can be more important than others. With the August 2019 Android security patch, Google and Qualcomm have fixed a set of “critical” vulnerabilities in their Snapdragon chips, dubbed “QualPwn,” that could allow hackers access to your phone’s underlying Linux kernel over the air.

Blade Team, a security research division within Tencent, disclosed a new chain of vulnerabilities within Qualcomm’s Snapdragon 835 and 845 chips. More precise details are going to be released later this week, but the gist is that a hacker on the same WiFi network can connect to debug settings of the Qualcomm modem chip. Through there, the hacker has direct access to your phone’s Linux kernel.

Tencent Blade states that they only directly tested on Google Pixel 2 and Pixel 3 devices, but given that the vulnerability is with their underlying Qualcomm Snapdragon 835 and 845 chips, more phones are sure to be affected. Thankfully, the team notes that this Snapdragon vulnerability has not been seen in use in the wild.

OEMs are fully aware of the particularly high risk involved with the QualPwn exploit and were given fixes by Qualcomm back in June. Google and Essential, as you would expect, have already released the August patch for their devices, but OnePlus also surprisingly rolled out the August patch in July.

Qualcomm gave a similar statement to ZDNet on the matter, noting that they’ve already done everything in their power to fix the Snapdragon vulnerability via the August patch and pass the fix along to the various OEMs.

Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Tencent for using industry-standard coordinated disclosure practices through our Vulnerability Rewards Program. Qualcomm Technologies has already issued fixes to OEMs, and we encourage end users to update their devices as patches become available from OEMs.

If you’re interested in seeing a full demonstration of QualPwn in action, Tencent Blade will be presenting it at Black Hat USA 2019 on Thursday.

Add 9to5Google to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Google on YouTube for more news:

Check out 9to5Google on YouTube for more news:

Comments

Guides

Android

Android

Breaking news for Android. Get the latest on app…
Snapdragon 845

Snapdragon 845
Snapdragon 835

Author

Avatar for Kyle Bradshaw Kyle Bradshaw

Kyle is an author and researcher for 9to5Google, with special interests in Made by Google products, Fuchsia, and uncovering new features.

Got a tip or want to chat? Twitter or Email. Kyle@9to5mac.com