Google’s research unit found a number of vulnerabilities in some Samsung Exynos modems used in dozens of Android smartphones, wearable devices and even vehicles. Google fears that these vulnerabilities may soon be discovered and exploited by attackers.
In his blog Head of Google Project Zero Tim Willis said that over the past few months, internal security researchers have discovered and reported 18 zero-day vulnerabilities in Samsung’s Exynos modems, including four top-level vulnerabilities that could compromise the relevant devices “quietly and remotely” via the mobile network.
“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” Willis said.
By being able to remotely execute code to control the Exynos modems, which convert cellular signals into digital data, an attacker would be able to gain almost unlimited access to information coming and going from the affected device, including cellular calls, text messages, and mobile data. At the same time, the user will not be aware of data interception.
Samsung confirmed in the March 2023 Security Update that several Exynos modems are vulnerable, affecting several Android device manufacturers, but provided few other details.
According to Project Zero, the vulnerable devices include nearly a dozen models from Samsung itself, Vivo devices, and the Google Pixel 6 and Pixel 7 smartphones. Affected devices also include wearables and vehicles that rely on Exynos chips to connect to cellular networks.
A more detailed list of affected models is as follows:
- Samsung mobile devices: S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
- Vivo mobile devices: S16, S15, S6, X70, X60 and X30 series;
- Pixel 6 and Pixel 7 series devices from Google;
- Any vehicles using the Exynos Auto T5123 chipset.
Google said patches will vary by manufacturer, but noted that its Pixel devices are already protected by the March security updates.
Until affected manufacturers push software updates to their customers, Google said users who wish to protect themselves can switch off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, which will “remove the exploitation risk of these vulnerabilities.”
The remaining 14 vulnerabilities are less serious, as they require either access to the device or insider or privileged access to the mobile operator’s systems.