Logo: Qualcomm // Composition: ZDNet
The first issue was patched with a code fix in the Android operating system source code, while the second bug was patched with a code fix in Qualcomm’s closed-source firmware that ships on a limited set of devices.
Tencent researchers said they only tested the QualPwn attacks on Google Pixel 2 and Pixel 3 devices, using Qualcomm Snapdragon 835 and Snapdragon 845 chips.
However, in a security advisory posted on its website for the second bug (CVE-2019-10540), Qualcomm said this vulnerability impacted many more other chipsets, including: IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712, SD 710, SD 670, SD 730, SD 820, SD 835, SD 845, SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, and SXR1130.
Tencent Blade said they discovered the bugs on their own, and that they haven’t seen any public exploitation attempts, to their knowledge.
The researchers plan to provide a more in-depth look at the QualPwn vulnerabilities and the over-the-air attack at the Black Hat USA 2019 security conference, this week, and the DEFCON 27 security conference, the week after that.
More vulnerability reports:
Urgent11 security flaws impact routers, printers, SCADA, and many IoT devicesCisco to pay $8.6 million for selling vulnerable software to US government
Google: 95.8% of all bug reports are fixed before deadline expiresNew Dragonblood vulnerabilities found in WiFi WPA3 standardApple’s AWDL protocol plagued by flaws that enable tracking and MitM attacksiPhone Bluetooth traffic leaks phone numbers — in certain scenariosGoogle will now pay up to $30,000 for reporting a Chrome bug CNETTop 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic
Related Topics:
Security TV
Data Management
CXO
Data Centers