Google’s bug bounty team detects 18 zero-day vulnerabilities in Samsung’s Exynos chipset 

18 zero-day vulnerabilities compromising device security were detected in Samsung’s Exynos chipsets by Google’s Project Zero team  

March 20, 2023 02:01 pm | Updated 02:01 pm IST

The Exynos modem security bugs were detected between late 2022 and early 2023 by Google’s bug bounty team.

The Exynos modem security bugs were detected between late 2022 and early 2023 by Google’s bug bounty team. | Photo Credit: AP

18 zero-day vulnerabilities compromising device security were detected in Samsung’s Exynos chipsets, with seven of the most severe of these allowing for internet-to-baseband remote code execution.

Attackers can remotely compromise a phone at the baseband level with no user interaction, and require the victim’s phone number to compromise affected devices silently and remotely, Google’s Project Zero team said in a blog post.

Other vulnerabilities detected in Samsung’s Exynos chipsets were found to require either a malicious mobile network operator or an attacker with local access to the device.

Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series were found to be affected. Additionally, devices from Vivo, including those in the S16, S15, S6, X70, X60, and X30 series, and Pixel 6 and Pixel 7 series from Google were also found to have been affected. Any devices that use the Exynos Auto T5123 chipset can also be affected by the reported security flaws.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

The Exynos modem security bugs were reported between late 2022 and early 2023. While Pixel and Samsung devices have already received a fix for these vulnerabilities, vulnerabilities in impacted chipsets to other vendors are yet to be made available and cannot be applied by all affected users.

However, until patches are available users can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings to remove the risk of exploitation.

Google’s Project Zero team has also delayed the disclosure of the four vulnerabilities that allow for Internet-to-baseband remote code execution.

“Due to a very rare combination of the level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception”, the blog post said.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.