Google is urging owners of certain Android phones to take urgent action to protect themselves from critical vulnerabilities that give skilled hackers the ability to surreptitiously infiltrate their devices with a specially crafted call to their number. It is not clear if all prompted actions are possible, however, and even if they were, the actions would neutralize the devices with the most voice communication capabilities.
The vulnerability affects Android devices using Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5123 from Samsung’s semiconductor division. The vulnerable devices include the Pixel 6 and 7, international versions of the Samsung Galaxy S22, several mid-range Samsung phones, the Galaxy Watch 4 and 5, and cars with the Exynos Auto T5123 chip. These devices are only weak if they run an Exynos chipset, which includes the baseband that processes signals for voice calls. The US version of the Galaxy S22 runs on a Qualcomm Snapdragon chip.
Flaw tracked as CVE-2023-24033 and three others that have yet to receive a CVE designation make it possible for hackers to execute malicious code, Google’s Project Zero Vulnerabilities Team mentioned Thursday. Code execution errors in the baseband can be particularly important because the chipset has system privileges at the root level to ensure that voice calls work reliably.
“Tests conducted by Project Zero confirm that these four vulnerabilities allow an attacker to compromise a phone at the baseband level without user intervention, only requiring that the attacker know the victim’s phone number,” Tim Willis of Project Zero wrote. “With limited additional research and development, we believe that skilled attackers will be able to quickly create an operational exploit to silently and remotely compromise affected devices.”
Earlier this month, Google released a patch for vulnerable Pixel 7 models, but fixes for the Pixel 6 models have yet to be delivered to many (the Project Zero post incorrectly states otherwise). Samsung released patched update CVE-2023-24033, but it did It has not been delivered yet for end users. There is no indication that Samsung has released patches for the other three security vulnerabilities. Until vulnerable devices are patched, they remain vulnerable to attacks that allow access to the deepest possible level.
The threat prompted Willis to put this advice at the top of Thursday’s post:
Until security updates are available, users who wish to protect themselves from baseband remote code execution vulnerabilities in Samsung’s Exynos chipset can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning these settings off will remove the risk of these vulnerabilities being exploited.
The problem is that it’s not entirely clear that it’s possible to turn off VoLTE, at least on many models. S22 user screenshot Posted to Reddit Last year shows that the option to turn off VoLTE is greyed out. While this user’s S22 was running a Snapdragon chip, the experience for users of Exynos-based phones will likely be the same.
And even if VoLTE could be turned off, doing so in conjunction with turning off Wi-Fi turns phones into little more than small Android tablets. VoLTE started being widely used a few years ago, and since then most North American carriers have stopped supporting older 3G and 2G frequencies.
Samsung representatives said in an email that the company in March released security patches for five out of six vulnerabilities that “may affect specific Galaxy devices” and will fix the sixth flaw next month. The email did not respond to questions asking if any of the patches are now available to end users or if VoLTE can be turned off. The email also fails to state that patches have not yet been delivered to end users.
Meanwhile, a Google representative declined to provide the specific steps for implementing the advice in Project Zero writing. This means that Pixel 6 users have no actionable mitigation steps while they wait for their devices to update. Readers who figure out a method are invited to explain the process (with screenshots, if applicable) in the comments section.
Given the seriousness of the bug and the ease of exploitation by skilled hackers, Thursday’s post omitted technical details. in that Product security update pageSamsung described CVE-2023-24033 as “memory corruption when handling SDP attribute accept type.”
The consultant added, “The baseband software does not properly check the format types for the accept-type attribute defined by the SDP, which can lead to denial of service or code execution in the Samsung Baseband modem.” Users can disable WiFi and VoLTE calling to mitigate the impact of this vulnerability.
In short for session description protocolSDP is a mechanism for establishing a multimedia session between two entities. Its main use is to support streaming VoIP calls and video conferencing. SDP uses a show/answer model in which one party announces a session description and the other party responds with the requested parameters.
The threat is serious, but again it only applies to people running an Exynos version of one of the affected models.
Until Samsung or Google says more, users of devices that remain vulnerable should (1) closely install all available security updates to fix CVE-2023-24033, (2) turn off Wi-Fi calling, and (3) explore a list of Settings for their specific model to see if VoLTE can be turned off. This post will be updated if either company responds with more useful information.
Post updated to correct definition of SDP.