In short: Google has issued a warning to users of some Android phones, wearables and vehicles after the Project Zero security analyst team reported eighteen zero-day vulnerabilities in Samsung’s Exynos modems.
The head of Google Project Zero, Tim Willis, wrote that the four most serious of the eighteen vulnerabilities reported in late 2022 and 2023 allow an attacker to remotely compromise a phone at the baseband level without user interaction. To compromise a vulnerable device, an attacker only needs to know the victim’s phone number.
A hacker using one of the vulnerabilities will get full access to all data that is transmitted to and from the device, including calls, text messages and mobile data. Willis writes that experienced attackers can quickly create an operational exploit for silent and remote compromise of vulnerable devices.
The remaining 14 vulnerabilities were not as serious, as they required either a malicious mobile network operator or an attacker with local access to the device.
Google has listed some devices with Exynos chipsets that are likely vulnerable to vulnerabilities:
- Samsung mobile devices, including the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series.
- Vivo mobile devices, including the S16, S15, S6, X70, X60 and X30 series.
- The Pixel 6 and Pixel 7 series of devices from Google
- Any wearable devices using the Exynos W920 chipset (including Galaxy Watch 4 and 5)
- Any cars using the Exynos Auto T5123 chipset.
The good news for owners of affected Pixel devices is that they have already been fixed in the March 2023 security update. Project Zero researcher Maddy Stone tweeted that despite the fact that Samsung had 90 days to fix the vulnerabilities, Samsung still has not done so.
End-users still don't have patches 90 days after report…. https://t.co/dkA9kuzTso
— Maddie Stone (@maddiestone) March 16, 2023
For owners of phones that have not been fixed yet, Google recommends disabling Wi-Fi calls and voice over LTE (VoLTE) in the device settings to eliminate the risk of exploiting these vulnerabilities.
