Google security analysts have warned users of Android devices that several zero-day vulnerabilities in some Samsung chipsets could allow an attacker to completely hijack their handsets and remotely control them using just the phone number.
Between late 2022 and early this year, Google’s Project Zero found and reported 18 of these bugs in Samsung’s Exynos mobile modem firmware, according to Tim Willis, who heads the bug-hunting team. Four of the 18 zero-day flaws could allow Internet-to-baseband remote code execution. The baseband or modem portion of a device typically has privileged low-level access to all hardware, and so exploiting bugs in the code can give an intruder complete control of the phone or device. Technical details of these holes have been withheld for now to protect users of vulnerable equipment.
“Tests conducted by Project Zero confirm that these four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user intervention, and only that the attacker knows the victim’s phone number,” Willis wrote in an analysis of the security flaws. .
Skilled attackers could quickly create an operational exploit to silently and remotely compromise affected devices
“With limited additional research and development, we believe that skilled attackers can quickly create an operational exploit to silently and remotely compromise affected devices,” he added.
One of these four serious bugs has been assigned a CVE number and is being tracked as CVE-2023-24033. The other three are waiting for bug IDs.
The other 14 issues are not as serious and require “either a malicious mobile network operator or an attacker with local access to the device,” Willis said. These include CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076, and nine other vulnerabilities that have not yet been assigned identifiers.
Affected devices include those using the Samsung S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series chips; Vivo mobile devices, including the S16, S15, S6, X70, X60, and X30 series; Google’s Pixel 6 and Pixel 7 series devices; and vehicles using the Exynos Auto T5123 chipset.
Google released a fix for CVE-2023-24033 affecting Pixel devices in the March security update. Until the other manufacturers close the gap, Willis suggests turning off Wi-Fi calling and Voice-over-LTE (VoLTE) to protect against remote baseband code execution if you’re using a vulnerable device powered by by Samsung’s silicon.
And, as always, patch your gadgets as soon as the software updates are available.
The team at Google – and most security researchers – adhere to a 90-day disclosure timeline, meaning that after they report the bug to the hardware or software vendor, the vendor has 90 days to release a fix. to bring. Afterwards, the researchers reveal the error to the public.
However, in some very rare and critical cases, where the “attackers would benefit significantly more than defenders if a vulnerability were disclosed,” the bug hunters make an exception and delay disclosure, Willis noted. Such is the case with the four zero days that enable internet-to-baseband RCE.
Of the 14 remaining minor flaws, Project Zero revealed four that exceeded the 90-day deadline. The other 10 will be released to the public when they hit the 90-day mark with no fixes, Willis added. ®