by
Google is warning owners of some Samsung, Vivo, and Pixel phones that a series of exploits could allow adversaries to compromise devices simply by knowing phone numbers — and the device owners wouldn’t notice.
Project Zero, Google’s in-house team of cybersecurity experts and analysts, described in a blog post 18 different potential exploits in some phones that use Samsung’s Exynos modems. These exploits are so severe that they should be treated as zero-day vulnerabilities (indicating immediate remediation). Four of these exploits only require an attacker to have the correct phone number to access data flowing in and out of a device’s modem, such as phone calls and text messages.
The other 14 exploits are less of a concern as they require more effort to expose their vulnerability. Attackers would need to access the device locally or a mobile carrier’s systems, as TechCrunch noted.
Owners of affected devices should install upcoming security updates as soon as possible, although it’s up to phone manufacturers to decide when to release a software patch for each device. In the meantime, Google says device owners can avoid being targeted by these exploits by disabling Wi-Fi calling and Voice-over-LTE or VoLTE in their device settings.
In the blog post, Google listed which phones use the Exynos modems – inadvertently admitting that its premium Pixel phones have been using Samsung’s modems for years. The list also includes a handful of wearables and cars that use specific modems.
- Phones from Samsung, including those in the premium Galaxy S22 series, the mid-range M33, M13, M12, A71, and A53 series, and the affordable A33, A21, A13, A12, and A04 series.
- Vivo mobile devices, including those from the S16, S15, S6, X70, X60 and X30 series.
- Google’s premium Pixel 6 and Pixel 7 series of devices (at least one of the four most serious vulnerabilities has been fixed in the March security update).
- All wearables using the Exynos W920 chipset.
- All vehicles using the Exynos Auto T5123 chipset.
Google reported these exploit discoveries to affected phone manufacturers in late 2022 and early 2023, the blog post said. But the Project Zero team has opted not to disclose four other vulnerabilities out of prudence due to their continued severity, breaking the usual practice of disclosing all exploits a certain period of time after they are reported to affected companies.
Samsung did not immediately respond to a request for comment.
