Google has discovered 0-day vulnerabilities in Samsung’s Exynos modems that impact the most recent Pixel and Samsung devices.
Samsung’s Exynos modem chipsets are used in a variety of devices, including Google’s Pixel 6 and 7 line, as well as a wide range of Samsung’s devices. Unfortunately, Google’s Project Zero has discovered 18 0-day vulnerabilities in the chipset, four which can be executed remotely with no user interaction.
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.
While still serious, the remaining 14 vulnerabilities are not as severe, since they require physical access to the device or a malicious network operator.
Google recommends turning off Wi-Fi calling and VoLTE on all impacted devices, including the list below:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
- The Pixel 6 and Pixel 7 series of devices from Google;
- any wearables that use the Exynos W920 chipset; and
- any vehicles that use the Exynos Auto T5123 chipset.
Google says patches should be issued to address the vulnerabilities permanently, with the March 2023 update for Pixels already including at least one fix:
We expect that patch timelines will vary per manufacturer (for example, affected Pixel devices have already received a fix for CVE-2023-24033 in the March 2023 security update). In the meantime, users with affected devices can protect themselves from the baseband remote code execution vulnerabilities mentioned in this post by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. As always, we encourage end users to update their devices as soon as possible, to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities.
To be clear, this is about as bad as it gets, in terms of mobile vulnerabilities, and users should take the necessary steps to protect themselves.