Google’s Project Zero team has raised an urgent alarm regarding several security vulnerabilities discovered in Samsung’s Exynos chipsets. They have cautioned that attackers can remotely breach a phone at the baseband level without any user intervention, hence, warranting immediate attention.
Details About Exynos Modem Vulnerabilities
Project Zero team lead, Tim Willis, renowned for discovering zero-day vulnerabilities, reported 18 vulnerabilities in Exynos modems between late 2022 and early 2023. Among them, four vulnerabilities, including CVE-2023-24033, enable attackers to execute remote codes at the baseband level from the internet to the phone without any user interaction
Tests conducted by Project Zero reveal that attackers can compromise the device remotely with just the victim’s phone number. Skilled attackers could quickly create an operational exploit to silently compromise the affected devices. Meanwhile, the other 14 vulnerabilities are not as severe, as they require either a malicious mobile network operator or local access to the device. As these four vulnerabilities can lead to an operational exploit, Project Zero is delaying their disclosure as a policy exception.
Devices Affected
Samsung Semiconductor (January 2023) has identified several affected chipsets, including Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5123. Meanwhile, Google has compiled a list of potential products that may be affected. They include:
- Samsung Galaxy phones (S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series)
- Vivo phones (S16, S15, S6, X70, X60, and X30 series)
- Google Pixel phones (6, 6 Pro, 6a, 7, and 7 Pro)
- Wearables that use the Exynos W920 chipset
- Vehicles that use the Exynos Auto T5123 chipset.
Notably, the S22, Galaxy Watch 4, and 5 are also included in the list of potentially affected products, in addition to the Pixel 6 (Exynos 5123) and 7 (Exynos 5300). The primary vulnerability (CVE-2023-24033) was addressed with the March 2023 security patch on Pixel phones, which was released on Monday but should have been available a week earlier.
Potential Workaround for Affected Devices
While the Pixel 6 and Pixel 7 devices remain vulnerable as they have yet to receive the March update, Project Zero recommends the following advice for affected users:
“Until security updates are available, users can safeguard themselves against the baseband remote code execution vulnerabilities found in Samsung’s Exynos chipsets by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) settings in their device settings. Disabling these settings will eliminate the risk of exploitation posed by these vulnerabilities.”