In brief: Google has issued a warning to users of certain Android handsets, wearables, and vehicles after its Project Zero team of security analysts reported eighteen zero-day vulnerabilities in Exynos Modems produced by Samsung.
Google Project Zero head Tim Willis wrote that the four most serious of the eighteen vulnerabilities, all of which were reported in late 2022 and 2023, allow an attacker to remotely compromise a phone at the baseband level with no user interaction. Compromising a vulnerable device would only require an attacker to know a target’s phone number.
A hacker exploiting one of the vulnerabilities would gain total access to all the data moving to and from the device, including calls, texts, and cellular data. Willis writes that skilled attackers could quickly create an operational exploit to compromise affected devices silently and remotely.
The remaining 14 vulnerabilities were not as severe, as they require either a malicious mobile network operator or an attacker with local access to the device.
Pixel owners don’t have to worry
Google listed some of the devices featuring the Exynos chipsets that are likely impacted by the vulnerabilities:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
- The Pixel 6 and Pixel 7 series of devices from Google
- Any wearables that use the Exynos W920 chipset (inc., the Galaxy Watch 4 and 5)
- Any vehicles that use the Exynos Auto T5123 chipset.
The good news for owners of affected Pixel devices is that they were already patched in the March 2023 security update. Project Zero researcher Maddie Stone tweeted that despite having 90 days to patch the vulnerabilities, Samsung still hasn’t done so.
End-users still don’t have patches 90 days after report….
— Maddie Stone (@maddiestone) March 16, 2023
For owners of the handsets that have yet to be patched, Google recommends switching off Wi-Fi calling and Voice over LTE (VoLTE) in the device settings to remove the exploitation risk of these vulnerabilities.