Qualcomm to thAndroid phones are in use across the planet. There is not a moment the sun is not shining on an android phone somewhere. The smartphone is a conglomerate of parts from multiple suppliers. It seems as though one of these suppliers had another issue recently.
Android phones are known to have many, many viable attacks over the years. These seem to appear with regularity, unfortunately for the consumer. One of the latest Android Security Bulletins was published in August 2019. Of the many vulnerabilities noted, three involved the Qualcomm chip.
These attacks were engineered to exploit a vulnerability with the Android kernel with the over the air (OTA) function. On a brighter note, for the attackers, these are partial remote attacks. Thus the attacker can’t be in the Caribbean on the beach and remotely take over your phone. For this to work, the attacker and target are required to be on the same network. This significantly limits the target base for the attackers. This also, curiously, does not require user interaction, such as a phishing attack with malware. These are attacks with malicious packets OTA. This directly affects over a dozen chipsets.
Fortunately for the user, patches for these have been made available. For CVE-2019-10538, this was modified with a patch for the Android OS source code. Fro CVE-2019-10540, this was modified with code in Qualcomm’s firmware. This is different than the Android OS in that the Qualcomm firmware is closed-source, in comparison to the Android open source OS.
Specifically for this issue, there are three CVE’s involved; CVE 2019-10538, -10539, and 10540. These are all buffer overflow attacks. With -10538, this affects the Qualcomm WLAN and Android kernel. The exploit uses packets coded specifically for this to the WLAN to overwrite parts of the kernel. Once successful, the attacker is able to run code with kernel privileges. For -10539, the issue is present with the WLAN firmware. This operates due to a lack of validation with the length check for the IE header limit. Lastly, for -10540, this is a modem into the kernel issue. This affects the Qualcomm WLAN also. The nuance with this is the issue is located within the modem firmware included with the chip from the manufacturer. To exploit this, the attacker begins with a particularly coded parket aimed at the device modem. This is able to work so well due to a lack of validation for the count value and the specifically coded packets. This also allows for code execution.
In theory, you could chain -10538 and -10540 together. This would allow attackers to take complete control over the Android phones within the attacker’s WiFi. this full access allows for an attacker to install any app, or rootkit, exfiltrate sensitive data, and other completely malicious activities.
This is not a training issue for the staff, but an issue with applying security within the SDLC. A portion of the issues could have been caught with cybersecurity applied through the project, and a thorough pentest.
Bhatia, R. (2019, April 25). Qualcomm chips vulnerability puts android devices at risk. Retrieved from https:/www.securitynewspaper.com/2019/04/25/qualcomm-chips-vulnerability-puts-android-devices-at-risk/
Cimpanu, C. (2019, August 6). Qualpwn vulnerabilities in qualcomm chips let hackers compromise android devices. Retrieved from https://www.zdnet.com/article/qualpwn-vulnerabilities-in-qualcomm-chips-let-hackers-compromise-android-devices/
Kumar, M. (2019, August 6). New flaws in qualcomm chips expose mills of android devices to hacking. Retrieved from https://thehackernews.com/2019/08/android-qualcomm-vulnerability.html
Paganini, P. (2019, April 28). Critical flaw in qualcomm chips exposes sensitive data for android devices. Retrieved from https://securityaffairs.com/wordpress/84612/hacking/qualcomm-flaw-android-devices.html
Samsung Mobile. (2019, August). Android security updates. Retrieved from https://security.samsungmobile.com/securityUpdate.smsb
Qualcomm. (2019, August 5). Security bulletins. Retrieved from https://www.qualcomm.com/compnay/product-security/bulletins
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!