18 zero-day vulnerabilities compromising device security were detected in Samsung’s Exynos chipsets, with seven of the most severe of these allowing for internet-to-baseband remote code execution.
Attackers can remotely compromise a phone at the baseband level with no user interaction, and require the victim’s phone number to compromise affected devices silently and remotely, Google’s Project Zero team said in a blog post.
Other vulnerabilities detected in Samsung’s Exynos chipsets were found to require either a malicious mobile network operator or an attacker with local access to the device.
Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series were found to be affected. Additionally, devices from Vivo, including those in the S16, S15, S6, X70, X60, and X30 series, and Pixel 6 and Pixel 7 series from Google were also found to have been affected. Any devices that use the Exynos Auto T5123 chipset can also be affected by the reported security flaws.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
The Exynos modem security bugs were reported between late 2022 and early 2023. While Pixel and Samsung devices have already received a fix for these vulnerabilities, vulnerabilities in impacted chipsets to other vendors are yet to be made available and cannot be applied by all affected users.
However, until patches are available users can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings to remove the risk of exploitation.
Google’s Project Zero team has also delayed the disclosure of the four vulnerabilities that allow for Internet-to-baseband remote code execution.
“Due to a very rare combination of the level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception”, the blog post said.
