Insecure Exynos modems put dozens of Samsung devices and other Android phones at risk

Many of the top Android phones released in the past year have used Samsung’s Exynos modems to connect to the internet. However, if your handset uses one of these chips launched in the last three years, it could leave you vulnerable to hackers because of a critical flaw in those modems, as Google’s Project Zero team has found 18 unpatched vulnerabilities in the Exynos modems from Samsung.

Security researchers have found issues in the Exynos modems that power Google’s recent flagship phones, such as the Pixel 7 and Pixel 6 ranges, as well as last year’s Samsung phones, including the Galaxy S22 series, Galaxy A53 and older models. The flaws expose those devices to Internet-to-baseband remote code execution. Some of Vivo’s recent models in the flagship and mid-range categories, including the Vivo X60, X70 and S15, are also at risk.


The vulnerabilities could also compromise smartwatches powered by an Exynos W920 chipset, such as the Samsung Galaxy Watch 4 and Watch 5 series, as well as vehicles equipped with an Exynos Auto T5123 chipset. Samsung has a list of all vulnerable chips and modems on this page.

Tim Willis, head of Google’s Project Zero, explained in a blog post that four of those vulnerabilities could allow hackers to access your phone remotely “at the baseband level” using just your phone number, assuming they know it.

“With limited additional research and development, we believe that skilled attackers can quickly create an operational exploit to silently and remotely compromise affected devices,” Willis wrote.

Fortunately, Google Pixel 7 owners can breathe a sigh of relief as the March security update rolled out a few days ago fixes the issue for the latest and greatest Pixel series. If you haven’t already, go to your system settings and look for the system updates section to see if it’s already installed. That said, the patch has yet to arrive for the Pixel 6, 6 Pro, and 6a, as 9to5Google points out.

Security researchers rarely disclose vulnerabilities that have not yet been fixed. Project Zero researcher Maddie Stone, however revealed in a tweet that “end users still have no patches 90 days after the report.”

Meanwhile, Google warns against making Wi-Fi and Voice-over-LTE (VoLTE) calls on affected devices until Samsung fixes the issue. To make sure these options are disabled, go to your system settings, the Network & internet section, and then the SIM cards menu entry. Here you can disable both VoLTE and Wi-Fi calling. That said, many carriers in the US no longer support 2G and 3G connections for phone calls, which means turning off VoLTE will significantly reduce your network coverage when it comes to phone calls. Therefore, you should only disable these settings if you think you are a high-risk target, then re-enable them once you have access to the March Android security patch.

Leave a Reply

Your email address will not be published. Required fields are marked *