CVE-2020-11287
7.5 HIGH
📋 TL;DR
This vulnerability in Qualcomm Snapdragon chipsets allows attackers to link RTT (Round Trip Time) frames with non-randomized MAC addresses by comparing sequence numbers, potentially exposing location tracking and device identification information. It affects numerous Snapdragon product lines including Auto, Compute, Mobile, and IoT devices. The vulnerability enables information disclosure about device proximity and movement patterns.
💻 Affected Systems
Products:
- Snapdragon Auto
- Snapdragon Compute
- Snapdragon Connectivity
- Snapdragon Consumer Electronics Connectivity
- Snapdragon Consumer IOT
- Snapdragon Industrial IOT
- Snapdragon Mobile
- Snapdragon Voice & Music
- Snapdragon Wired Infrastructure and Networking
Versions: Specific affected versions not publicly detailed in advisory
Operating Systems: Android and other OS using affected Snapdragon chipsets
Default Config Vulnerable:
⚠️ Yes
Notes: Affects devices using vulnerable Snapdragon chipsets with Wi-Fi functionality enabled.
📦 What is this software?
Aqt1000 by Qualcomm
Ar8031 by Qualcomm
Ar8035 by Qualcomm
Csr8811 by Qualcomm
Csra6620 by Qualcomm
Csra6640 by Qualcomm
Csrb31024 by Qualcomm
Ipq6000 by Qualcomm
Ipq6010 by Qualcomm
Ipq6018 by Qualcomm
Ipq6028 by Qualcomm
Ipq8070 by Qualcomm
Ipq8070a by Qualcomm
Ipq8071 by Qualcomm
Ipq8071a by Qualcomm
Ipq8072 by Qualcomm
Ipq8072a by Qualcomm
Ipq8074 by Qualcomm
Ipq8074a by Qualcomm
Ipq8076 by Qualcomm
Ipq8076a by Qualcomm
Ipq8078 by Qualcomm
Ipq8078a by Qualcomm
Ipq8173 by Qualcomm
Ipq8174 by Qualcomm
Pm3003a by Qualcomm
Pm4125 by Qualcomm
Pm4250 by Qualcomm
Pm456 by Qualcomm
Pm6125 by Qualcomm
Pm6150 by Qualcomm
Pm6150a by Qualcomm
Pm6150l by Qualcomm
Pm6250 by Qualcomm
Pm6350 by Qualcomm
Pm640a by Qualcomm
Pm640l by Qualcomm
Pm640p by Qualcomm
Pm660 by Qualcomm
Pm660a by Qualcomm
Pm660l by Qualcomm
Pm670 by Qualcomm
Pm670l by Qualcomm
Pm7150a by Qualcomm
Pm7150l by Qualcomm
Pm7250 by Qualcomm
Pm7250b by Qualcomm
Pm8004 by Qualcomm
Pm8005 by Qualcomm
Pm8008 by Qualcomm
Pm8009 by Qualcomm
Pm8150 by Qualcomm
Pm8150a by Qualcomm
Pm8150b by Qualcomm
Pm8150c by Qualcomm
Pm8150l by Qualcomm
Pm8250 by Qualcomm
Pm855 by Qualcomm
Pm855a by Qualcomm
Pm855b by Qualcomm
Pm855l by Qualcomm
Pm855p by Qualcomm
Pm8998 by Qualcomm
Pmc1000h by Qualcomm
Pmd9655 by Qualcomm
Pmi632 by Qualcomm
Pmi8998 by Qualcomm
Pmk8002 by Qualcomm
Pmk8003 by Qualcomm
Pmm6155au by Qualcomm
Pmm8155au by Qualcomm
Pmm8195au by Qualcomm
Pmm855au by Qualcomm
Pmp8074 by Qualcomm
Pmr525 by Qualcomm
Pmr735a by Qualcomm
Pmr735b by Qualcomm
Pmx24 by Qualcomm
Pmx50 by Qualcomm
Pmx55 by Qualcomm
Qat3514 by Qualcomm
Qat3516 by Qualcomm
Qat3518 by Qualcomm
Qat3519 by Qualcomm
Qat3522 by Qualcomm
Qat3550 by Qualcomm
Qat3555 by Qualcomm
Qat5515 by Qualcomm
Qat5516 by Qualcomm
Qat5522 by Qualcomm
Qat5533 by Qualcomm
Qbt1500 by Qualcomm
Qbt2000 by Qualcomm
Qca1062 by Qualcomm
Qca1064 by Qualcomm
Qca4024 by Qualcomm
Qca6175a by Qualcomm
Qca6310 by Qualcomm
Qca6335 by Qualcomm
Qca6390 by Qualcomm
Qca6391 by Qualcomm
Qca6420 by Qualcomm
Qca6421 by Qualcomm
Qca6426 by Qualcomm
Qca6428 by Qualcomm
Qca6430 by Qualcomm
Qca6431 by Qualcomm
Qca6436 by Qualcomm
Qca6438 by Qualcomm
Qca6564a by Qualcomm
Qca6564au by Qualcomm
Qca6574 by Qualcomm
Qca6574a by Qualcomm
Qca6574au by Qualcomm
Qca6584au by Qualcomm
Qca6595 by Qualcomm
Qca6595au by Qualcomm
Qca6696 by Qualcomm
Qca8072 by Qualcomm
Qca8075 by Qualcomm
Qca8081 by Qualcomm
Qca8337 by Qualcomm
Qca9889 by Qualcomm
Qca9984 by Qualcomm
Qcm2290 by Qualcomm
Qcm4290 by Qualcomm
Qcm6125 by Qualcomm
Qcn5022 by Qualcomm
Qcn5024 by Qualcomm
Qcn5052 by Qualcomm
Qcn5054 by Qualcomm
Qcn5064 by Qualcomm
Qcn5122 by Qualcomm
Qcn5124 by Qualcomm
Qcn5152 by Qualcomm
Qcn5164 by Qualcomm
Qcn5550 by Qualcomm
Qcn7605 by Qualcomm
Qcn7606 by Qualcomm
Qcn9000 by Qualcomm
Qcn9074 by Qualcomm
Qcs2290 by Qualcomm
Qcs405 by Qualcomm
Qcs410 by Qualcomm
Qcs4290 by Qualcomm
Qcs605 by Qualcomm
Qcs610 by Qualcomm
Qcs6125 by Qualcomm
Qdm2301 by Qualcomm
Qdm2302 by Qualcomm
Qdm2305 by Qualcomm
Qdm2307 by Qualcomm
Qdm2308 by Qualcomm
Qdm2310 by Qualcomm
Qdm3301 by Qualcomm
Qdm5620 by Qualcomm
Qdm5621 by Qualcomm
Qdm5650 by Qualcomm
Qdm5652 by Qualcomm
Qdm5670 by Qualcomm
Qdm5671 by Qualcomm
Qdm5677 by Qualcomm
Qdm5679 by Qualcomm
Qet4100 by Qualcomm
Qet4101 by Qualcomm
Qet4200aq by Qualcomm
Qet5100 by Qualcomm
Qet6100 by Qualcomm
Qet6110 by Qualcomm
Qfs2530 by Qualcomm
Qfs2580 by Qualcomm
Qln1020 by Qualcomm
Qln1021aq by Qualcomm
Qln1030 by Qualcomm
Qln1031 by Qualcomm
Qln1036aq by Qualcomm
Qln4640 by Qualcomm
Qln4642 by Qualcomm
Qln4650 by Qualcomm
Qln5020 by Qualcomm
Qln5030 by Qualcomm
Qln5040 by Qualcomm
Qpa2625 by Qualcomm
Qpa4340 by Qualcomm
Qpa4360 by Qualcomm
Qpa4361 by Qualcomm
Qpa5460 by Qualcomm
Qpa5580 by Qualcomm
Qpa5581 by Qualcomm
Qpa6560 by Qualcomm
Qpa8673 by Qualcomm
Qpa8675 by Qualcomm
Qpa8686 by Qualcomm
Qpa8688 by Qualcomm
Qpa8801 by Qualcomm
Qpa8802 by Qualcomm
Qpa8803 by Qualcomm
Qpa8821 by Qualcomm
Qpa8842 by Qualcomm
Qpm2630 by Qualcomm
Qpm4650 by Qualcomm
Qpm5541 by Qualcomm
Qpm5577 by Qualcomm
Qpm5579 by Qualcomm
Qpm5620 by Qualcomm
Qpm5621 by Qualcomm
Qpm5657 by Qualcomm
Qpm5658 by Qualcomm
Qpm5670 by Qualcomm
Qpm5677 by Qualcomm
Qpm5679 by Qualcomm
Qpm6325 by Qualcomm
Qpm6375 by Qualcomm
Qpm6582 by Qualcomm
Qpm6585 by Qualcomm
Qpm8820 by Qualcomm
Qpm8830 by Qualcomm
Qpm8870 by Qualcomm
Qpm8895 by Qualcomm
Qsm7250 by Qualcomm
Qsw6310 by Qualcomm
Qsw8573 by Qualcomm
Qsw8574 by Qualcomm
Qtc410s by Qualcomm
Qtc800h by Qualcomm
Qtc800s by Qualcomm
Qtc801s by Qualcomm
Qtm525 by Qualcomm
Qtm527 by Qualcomm
Rsw8577 by Qualcomm
Sa415m by Qualcomm
Sa515m by Qualcomm
Sa6145p by Qualcomm
Sa6150p by Qualcomm
Sa6155 by Qualcomm
Sa6155p by Qualcomm
Sa8150p by Qualcomm
Sa8155 by Qualcomm
Sa8155p by Qualcomm
Sa8195p by Qualcomm
Sd 455 by Qualcomm
Sd 636 by Qualcomm
Sd 675 by Qualcomm
Sd 8c by Qualcomm
Sd 8cx by Qualcomm
Sd460 by Qualcomm
Sd660 by Qualcomm
Sd662 by Qualcomm
Sd665 by Qualcomm
Sd670 by Qualcomm
Sd675 by Qualcomm
Sd690 5g by Qualcomm
Sd710 by Qualcomm
Sd720g by Qualcomm
Sd730 by Qualcomm
Sd750g by Qualcomm
Sd765 by Qualcomm
Sd765g by Qualcomm
Sd768g by Qualcomm
Sd7c by Qualcomm
Sd845 by Qualcomm
Sd855 by Qualcomm
Sd865 5g by Qualcomm
Sdm630 by Qualcomm
Sdm830 by Qualcomm
Sdr051 by Qualcomm
Sdr052 by Qualcomm
Sdr425 by Qualcomm
Sdr660 by Qualcomm
Sdr660g by Qualcomm
Sdr675 by Qualcomm
Sdr735 by Qualcomm
Sdr735g by Qualcomm
Sdr8150 by Qualcomm
Sdr8250 by Qualcomm
Sdr845 by Qualcomm
Sdr865 by Qualcomm
Sdx50m by Qualcomm
Sdx55 by Qualcomm
Sdx55m by Qualcomm
Sdxr1 by Qualcomm
Sdxr2 5g by Qualcomm
Sm4125 by Qualcomm
Sm4350 by Qualcomm
Sm6250 by Qualcomm
Sm6250p by Qualcomm
Sm7250p by Qualcomm
Smb1351 by Qualcomm
Smb1354 by Qualcomm
Smb1355 by Qualcomm
Smb1380 by Qualcomm
Smb1381 by Qualcomm
Smb1390 by Qualcomm
Smb1395 by Qualcomm
Smb1396 by Qualcomm
Smb2351 by Qualcomm
Smr525 by Qualcomm
Smr526 by Qualcomm
Wcd9326 by Qualcomm
Wcd9335 by Qualcomm
Wcd9340 by Qualcomm
Wcd9341 by Qualcomm
Wcd9360 by Qualcomm
Wcd9370 by Qualcomm
Wcd9371 by Qualcomm
Wcd9375 by Qualcomm
Wcd9380 by Qualcomm
Wcd9385 by Qualcomm
Wcn3910 by Qualcomm
Wcn3950 by Qualcomm
Wcn3980 by Qualcomm
Wcn3988 by Qualcomm
Wcn3990 by Qualcomm
Wcn3991 by Qualcomm
Wcn3998 by Qualcomm
Wcn3999 by Qualcomm
Wcn6850 by Qualcomm
Wcn6851 by Qualcomm
Wgr7640 by Qualcomm
Whs9410 by Qualcomm
Wsa8810 by Qualcomm
Wsa8815 by Qualcomm
Wsa8830 by Qualcomm
Wsa8835 by Qualcomm
Wtr2965 by Qualcomm
Wtr3925 by Qualcomm
Wtr5975 by Qualcomm
Wtr6955 by Qualcomm
⚠️ Risk & Real-World Impact
Worst Case
Attackers can persistently track device locations, movements, and proximity to other devices, enabling physical surveillance, stalking, or targeted attacks based on location patterns.
Likely Case
Local attackers in Wi-Fi range can gather information about device presence, movement patterns, and potentially identify specific devices for further targeting.
If Mitigated
With proper network segmentation and monitoring, impact is limited to local network visibility rather than broader information disclosure.
🌐 Internet-Facing: LOW - This requires local network access and proximity to the target device.
🏢 Internal Only: MEDIUM - Internal attackers with network access could exploit this for reconnaissance and tracking within the organization.
🎯 Exploit Status
Public PoC:
✅ No
Weaponized:
UNKNOWN
Unauthenticated Exploit:
⚠️ Yes
Complexity:
MEDIUM
Exploitation requires proximity to target device and knowledge of Wi-Fi network analysis techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Qualcomm February 2021 security bulletin for specific patched versions
Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/february-2021-bulletin
Restart Required: Yes
Instructions:
1. Check device manufacturer for firmware updates. 2. Apply Qualcomm-provided patches through OEM updates. 3. Reboot device after update installation. 4. Verify patch application through version checking.
🔧 Temporary Workarounds
Disable Wi-Fi when not needed
allTurn off Wi-Fi functionality to prevent RTT frame transmission
# Android: adb shell svc wifi disable
# Linux: sudo nmcli radio wifi off
Use MAC address randomization
androidEnable MAC address randomization features if available
# Android 10+: Settings > Network & internet > Wi-Fi > Wi-Fi preferences > Advanced > Randomize MAC address
🧯 If You Can't Patch
- Segment Wi-Fi networks to limit exposure to trusted devices only
- Implement network monitoring for unusual RTT frame patterns or MAC address correlation attempts
🔍 How to Verify
Check if Vulnerable:
Check device chipset model and firmware version against Qualcomm's advisory. Use commands like 'adb shell getprop ro.boot.hardware' for Android devices.Check Version:
# Android: adb shell getprop ro.build.fingerprint
# Linux: cat /proc/versionVerify Fix Applied:
Verify firmware version has been updated to post-February 2021 patches from device manufacturer.📡 Detection & Monitoring
Log Indicators:
- Unusual RTT frame patterns
- Multiple MAC address correlation attempts
- Wi-Fi driver errors or anomalies
Network Indicators:
- Excessive RTT frame transmission
- MAC address pattern analysis traffic
- Unusual proximity to multiple devices
SIEM Query:
source="wifi_logs" AND ("RTT" OR "round trip time") AND ("MAC correlation" OR "sequence number comparison")