Google issued a warning to some Samsung, Pixel, and Vivo phones about critical vulnerabilities that could allow hackers to compromise their devices by making a special call to their phone numbers.
The security flaw impacts Android devices that use the Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5123 chipsets made by Samsung. International versions of the Samsung Galaxy S22 (the U.S. version uses a Qualcomm Snapdragon chip), some mid-range Samsung phones, the Galaxy Watch 5 and 5, the Pixel 6 and 7, and cars that used the Exynos Auto T5123 chip could be exploited, Google’s Project Zero warned in a blog post.
The post said that Google’s team found at least 18 different possible exploits that could be used to target the aforementioned devices that use the Exynos chips. Owners of the impacted devices should install upcoming updates as soon as possible, although that varies depending on the phone manufacturer’s schedule for each device.
“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” wrote Google’s Tim Willis in the post, dated March 16.
The fourteen other vulnerabilities “were not as severe,” he added, “as they require either a malicious mobile network operator or an attacker with local access to the device.”
Google’s security team said that in the meantime, some Android users can avoid being hacked by turning off Wi-Fi calling and Voice-over-LTE, known alternatively as VoLTE, in their device’s settings.
“Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities,” Willis wrote.
Samsung issued a statement confirming that it is aware of the potential security exploits and said it is now releasing updates for affected devices. It advised owners to update their Android smartphone software.
“After determining 6 vulnerabilities may potentially impact select Galaxy devices, of which none were ‘severe,’ Samsung released security patches for 5 of these in March,” the Korean tech giant told CNET. “Another security patch will be released in April to address the remaining vulnerability.”
In all, the impacted devices include Samsung’s S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series devices as well as Vivo’s S16, S15, S6, X70, X60, and X30 series devices, according to Google. Other affected devices include the Google Pixel 6 and 7, any vehicles that use the Exynos Auto T5123 chipset, the company added.
According to security website Sophos, even though “Google’s research focused on devices that used a Samsung Exynos-branded baseband modem component,” it “doesn’t necessarily mean that the system-on-chip would identify or brand itself as an Exynos.”
“For example, Google’s recent Pixel devices use Google’s own system-on-chip, branded Tensor, but both the Pixel 6 and Pixel 7 are vulnerable to these still-semi-secret baseband bugs,” Sophos said.
Google noted the exploit discoveries were discovered in late 2022 and early 2023. The Project Zero team said it has chosen not to disclose four other vulnerabilities because of ongoing security exploits.
Via its product security update website, Samsung described one of the bugs—CVE-2023-24033—as a “memory corruption when processing SDP attribute accept-type.”
“The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem,” the advisory said. “Users can disable WiFi calling and VoLTE to mitigate the impact of this vulnerability.”