Qualcomm WiFi: Infinity War

Conference:  BlackHat USA 2021



The presentation discusses the vulnerabilities in Hong Kong Wi-Fi firmware and the need for continuous focus on Wi-Fi security.
  • Hong Kong Wi-Fi firmware has vulnerabilities that can be exploited by attackers
  • The vulnerabilities are caused by extensive stem or wp information element loss
  • The firmware has weak mitigation of weapons
  • Developers need to continuously focus on Wi-Fi security to prevent new vulnerabilities from emerging
The presentation mentions a logical vulnerability in Snapdragon 845 and 855 that can be triggered by sending multiple mail from the association with pastor friends. This vulnerability is located in the pe mode testing association passive frame and is caused by extensive stem or wp information element loss.


Qualcomm is the chip manufacturer with the highest market share in smart phones. With hundreds of millions of devices using Qualcomm WiFi chips, any security issue can cause a big impact on users, among which, 0-click remote/adjacent attack surface is always the most concerning attack surface by security researchers as they require no user interaction, thus attacks can be performed in a silent manner. Furthermore, as one of the most important short-distance communication protocols, WiFi must be a major target of attackers.This topic will explain to the audience the security risks faced by Qualcomm WiFi as well as its mitigations, illustrated by eight of the latest 0-click remote vulnerabilities we discovered. On the other hand, although the flagship Snapdragon 865 of Qualcomm in 2020 has made a lot of changes and security enhancements in WiFi, we still managed to find more security issues by conducting in-depth security research on the WiFi module of sdm865. In this talk, we also share our methodology in regards to reverse engineering and exploitation of WiFi in sdm865.