What you need to know
- Google’s Project Zero team reveals new vulnerabilities for Exynos SoCs.
- These chipset-powered phones include Pixel 6 series, Pixel 7 series, and Galaxy S22 models, amongst others.
- The team points it out to be a baseband remote code execution vulnerability that can be done based on learning the victim’s phone number.
Smartphones are often ranked according to their chipsets for their performance, but those SoCs are sometimes vulnerable, and new evidence by Google's Project Zero team suggests so.
Over the past few months, the Project Zero team has found eighteen 0-day vulnerabilities in devices comprising Samsung Exynos modems (via 9to5Google). Out of these eighteen, four are severe (one has CVE-2023-24033 ID, while others are yet to be assigned with CVE-IDs), which can allow attackers to make an Internet-to-baseband remote code execution.
In an accompanying blog post, the Project Zero team indicates that these four vulnerabilities “allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number.”
The security team claims that while learning the victim's phone number can be challenging for unidentified attackers, it is still possible to do it covertly and remotely.
While most Android phone users can check whether their chipsets are affected from the list provided by Samsung Semiconductor's advisories, the Project team gives the list of devices based on their research:
- Samsung devices including Galaxy S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series. (Galaxy S22 owners in the U.S. and select other countries that use Qualcomm chips are not affected).
- Some Vivo models include the Vivo S16, S15, S6, X70, X60, and X30 series.
- Google Pixel 6 and Pixel 7 series come with Tensor chips developed by Samsung and are Exynos-based.
- Exynos chipset, dubbed Auto T5123 SoC, utilized in automotive, is also seemingly affected.
Since the new Galaxy S23 uses Qualcomm globally, it's not affected as other Galaxy devices are.
The CVE-2023-24033 ID vulnerability, as mentioned above, has reportedly been fixed on the Pixel devices with the recent March 2023 update, which, unfortunately, is yet to be received on Pixel 6 and 6a models.
Meanwhile, the other non-Pixel devices, which are yet to receive a fix from their OEMs, might have to work around to protect themselves from attackers. The security team advises them to turn off Wi-Fi calling and Voice-over-LTE (VoLTE) on their Samsung Exynos-powered smartphones.