by We trust our smartphones with just about everything in our lives, and in return we expect them to be secure and protected from attacks. That is usual the case, and monthly security updates go a long way in protecting our data. However, if you have a Google Pixel or a Samsung phone, you should probably be wary. Google’s Project Zero, the bug-hunting team, has identified eighteen security vulnerabilities affecting Exynos modems, and combining them could allow an attacker to take complete control of your smartphone without you knowing.
The vulnerabilities were discovered in late 2022 and early 2023, and four of the eighteen vulnerabilities are considered the most critical, as they allow remote code execution using only the victim’s phone number. Only one of the most serious exploits has a publicly assigned Common Vulnerabilities and Exposures (CVE) number, with Google withholding a number of CVEs related to this vulnerability in a rare exception to the normal bug release protocol.
According to Google’s Project Zero, the following devices are affected.
- Samsung mobile devices, including S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series;
- Vivo mobile devices, including those in the S16, S15, S6, X70, X60, and X30 series;
- Google’s Pixel 6 and Pixel 7 series devices; And
- all vehicles using the Exynos Auto T5123 chipset.
This bug has been fixed in the March security update, which the Pixel 7 series already has. However, the Pixel 6 series doesn’t have it yet, and Google says users using unpatched devices should turn off VoLTE and Wi-Fi calling. Tim Willis, the head of Project Zero, said that “with limited additional research and development, we believe skilled attackers will be able to quickly create an operational exploit to silently and remotely compromise affected devices.” In other words, a user’s device can be compromised and may not even know about it, and it seems that some attackers can find and exploit it quite easily as well.
As for the major exploit we do have information about, CVE-2023-24033, its description simply says that the affected baseband modem chipsets “do not properly check format types specified by the Session Description Protocol (SDP) module, which can lead to an refusal of service.” A denial of service in this context usually means that an attacker can remotely lock your phone and prevent you from using it, although no additional details are provided.
The remaining fourteen vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076, and nine others pending CVEs) are not as critical, but still bring risks for the end user. For successful exploitation, they need “either a malicious mobile network operator or an attacker with local access to the device”.
For users waiting for an update and using an affected device, please disable VoLTE and Wi-Fi calling for now. If you have the March security update available but haven’t updated yet, it might be time to do so.
Source: Google Project Zero
