
QualPwn – Exploiting Qualcomm WLAN and Modem over the Air - woliveirajr
https://blade.tencent.com/en/advisories/qualpwn/
======
gsich
I always associate Qualcomm with pain. Mainly because "qual" means "pain" or
"suffering", "agony" in german.

~~~
Fnoord
I suppose the 'qual' stands for quality but as a Dutch person [the Dutch word
being kwel], I agree with your (German) assessment.

------
mappu
The whole world should count its lucky stars that this was Tencent discovering
and reporting the vulnerability, and not Huawei, who depending on the current
day-of-the-week might not be able to legally report it.

------
tyingq
_" the vulnerabilities allows attackers to compromise the WLAN and Modem over-
the-air. The other allows attackers to compromise the Android Kernel from the
WLAN chip."_

This seems big and unprecedented. Layperson in this area, so...am I wrong?

~~~
hannob
Yeah, you're wrong.

It's bad, but it's absolutely not unprecedented. The first time a similar
issue was discovered was by Prozect Zero:
[https://googleprojectzero.blogspot.com/2017/04/over-air-
expl...](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-
broadcoms-wi-fi_4.html) [https://googleprojectzero.blogspot.com/2017/04/over-
air-expl...](https://googleprojectzero.blogspot.com/2017/04/over-air-
exploiting-broadcoms-wi-fi_11.html)

It has some pretty damning facts, including that most mobile devices have some
form of IOMMU in theory, but they don't use it.

Later there was the Broadpwn vulnerability, which was very similar. I believe
there were more of them later.

~~~
d2mw
Google can claim many firsts, but hopping from a baseband to an application
processor most certainly isn't one of them. I'm sure you can find
presentations from e.g. CCC much older than 2017

~~~
krageon
I think I saw a presentation on this at the CCC in 2016, but it might have
been another year.

------
Canada
This one deserves a Pwnie Award. Tencent has some excellent researchers.

------
elisharobinson
i think its kind fun when its google caught with its pants down , its usually
googles project zero who set the 90 day dead line. I am happy if i just get
the patch for my old hardware.

