Google’s Project Zero team discovered serious 0-day vulnerabilities with the Samsung Exynos modems used on the Pixel 6 and 7, Samsung phones and wearables, and other devices that justify disabling VoLTE and Wi-Fi calling until they are are patched.
Exynos modem vulnerabilities
Known for finding 0-days, Project Zero reported 18 vulnerabilities in Exynos modems in late 2022 and early 2023. Four of the vulnerabilities, including CVE-2023-24033, involve Internet-to-baseband remote code execution (emphasis ours):
Tests conducted by Project Zero confirm that these four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user interaction and only require the attacker to know the victim’s phone number. With limited additional research and development, we believe skilled attackers would be able to do this quickly create an operational exploit to silently and remotely compromise affected devices.
Meanwhile, the other 14 vulnerabilities are not considered as serious because they “require a malicious mobile network operator or an attacker with local access to the device.”
Project Zero is making a “policy exception to delay disclosure for the four vulnerabilities that allow Internet-to-baseband remote code execution.” This is “because of a very rare combination of the level of access these vulnerabilities provide and the speed at which we believe a reliable operational exploit can be made.”
According to Samsung Semiconductor (January 2023), the affected chipsets are: Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080 and Exynos Auto T5123. Google has compiled a list of likely affected products:
- Samsung Galaxy phones, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series
- Vivo phones, including those in the S16, S15, S6, X70, X60, and X30 series
- Google Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro
- All wearables using the Exynos W920 chipset
- All vehicles using the Exynos Auto T5123 chipset
In addition to the Pixel 6 (Exynos 5123) and 7 (Exynos 5300), this includes the S22, as well as the Galaxy Watch 4 and 5. On Pixel phones, the main CVE-2023-24033 vulnerability has been addressed with the March 2023 security patch that rolled out on Monday, but should have come a week earlier.
Turn off VoLTE and Wi-Fi calling
However, the Pixel 6, 6 Pro and 6a have yet to see that March update and are currently vulnerable. Project Zero’s advice for those affected follows:
Until security updates are available, users who want to protect themselves against baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can disable Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Disabling these settings will remove the exploitation risk of these vulnerabilities.
According to an older Sprint/T-Mobile support article, “Google Pixel devices received software updates in 2021 that automatically enabled VoLTE and removed the toggle.” You can turn off Wi-Fi calling on Pixel phones in the Settings app > Network & Internet > SIM cards > Wi-Fi Calling.
FTC: We use auto affiliate links that generate revenue. More.
Watch 9to5Google on YouTube for more news: