Briefly: Google has issued a warning to users of certain Android devices, wearables, and vehicles after its Project Zero team of security analysts reported eighteen zero-day vulnerabilities in Samsung-made Exynos modems.
Google Project Zero chief Tim Willis books The four most serious vulnerabilities out of eighteen, all reported in late 2022 and 2023, allow attackers to remotely compromise a phone at the baseband level without user interaction. Hacking a vulnerable device only requires the attacker to know the target’s phone number.
A hacker who exploits a vulnerability will gain full access to all data transmitted to and from the device, including calls, texts, and cellular data. Willis writes that skilled attackers can quickly create an operational vulnerability to silently and remotely compromise affected devices.
The remaining 14 vulnerabilities were not severe, as they required either a malicious mobile network operator or an attacker to have local access to the device.
Pixel owners don’t have to worry
Google has listed some devices with Exynos chips that are likely to be affected by the vulnerabilities:
- Samsung mobile devices, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series
- Vivo mobile devices, including those in the S16, S15, S6, X70, X60, and X30 series
- Google’s Pixel 6 and Pixel 7 series of devices
- Any wearable devices that use the Exynos W920 chipset (including the Galaxy Watch 4 and 5)
- Any vehicles using Exynos Auto T5123 chipset.
The good news for owners of affected Pixel devices is that it has already been patched in the March 2023 security update. Project Zero researcher Maddie Stone tweeted that although there are 90 days to patch the vulnerabilities, Samsung hasn’t done so yet.
End users still have no patches 90 days after submitting the report… https://t.co/dkA9kuzTso
– Maddie Stone (@maddiestone) March 16, 2023
For owners of phones that have not yet been patched, Google recommends that you turn off Wi-Fi Calling and Voice over LTE (VoLTE) in the device settings to remove the risk of these vulnerabilities being exploited.
