Smartphones, wearables and even cars that use Samsung’s Exynos chipsets could be at risk of attack following the discovery of 18 zero-day vulnerabilities by Google’s Project Zero.
The search giant’s bug-hunting team discovered and reported the flaws between the end of last year and the beginning of this year. While some have already been patched, others have yet to receive a fix.
Of the 18 zero-day flaws discovered, four are considered extremely serious as they could allow code to be executed remotely. To make matters worse, these Internet-to-baseband remote code execution (RCE) bugs don’t require user interaction to be exploited.
In a security advisory (opens in new tab) describing one of the vulnerabilities (tracked as CVE-2023-24033 (opens in new tab)), Samsung provided further details on the flaw, saying: “The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem.”
It’s worth noting that the best Samsung phones sold in the U.S. aren’t affected as they use Qualcomm’s modems as opposed to those made by Samsung itself. Still, Google’s own Pixel devices and even some of the best Samsung watches that use Exynos chipsets are.
Vulnerable Samsung and Pixel phones
In a blog post (opens in new tab), head of Project Zero Tim Willis explained that Google’s team conducted tests to confirm that the four most severe zero-day flaws could allow an attacker to remotely compromise a vulnerable Samsung or Pixel device “at the baseband level with no user interaction.”
Instead of using malware or a malicious app to gain initial access to a victim’s device, an attacker just needs to know their phone number.
The remaining fourteen other zero-day vulnerabilities in Samsung’s Exynos chips aren’t nearly as severe and to exploit them, an attacker would need local access to a vulnerable smartphone or would need to rely on help from a malicious mobile network operator.
Samsung Semiconductor has put together a list of all of the affected Exynos chipsets which can be found in its security advisory above. However, based on Project Zero’s research the following smartphones are affected:
- Samsung S22
- Samsung M33
- Samsung M13
- Samsung M12
- Samsung A71
- Samsung A53
- Samsung A33
- Samsung A21s
- Samsung A13
- Samsung A12
- Samsung A04
- Vivo S16
- Vivo S15
- Vivo S6
- Vivo X70
- Vivo X60
- Vivo X30
- Pixel 6
- Pixel 6 Pro
- Pixel 6a
- Pixel 7
- Pixel 7 Pro
As we mentioned above though, only Samsung phones sold in Europe and Korea typically use the company’s own Exynos chipsets. Those sold in the U.S. don’t but Samsung’s smartwatches including the Samsung Galaxy Watch 5 and others do. Likewise, any vehicle that uses Samsung’s Exynos Auto T5123 chipset is also affected by these flaws.
Some devices patched and there’s a workaround for others
According to BleepingComputer (opens in new tab), Samsung has already come up with security updates that address these vulnerabilities and has sent them to vendors that use the affected chipsets in their devices. However, the patches aren’t public yet and can’t be applied by all affected users.
Some device makers have already begun rolling them out though, including Google which fixed the Internet-to-baseband RCE bugs in its March 2023 security updates for Pixel phones.
For those who own an affected device that hasn’t been updated yet, Project Zero does have a workaround. Until you receive the security update patching these zero-day flaws, you should disable both Wi-Fi calling and Voice-over-LTE (VoLTE) as this is the main attack vector that would be used to exploit them.
Once the updates do become available though, you should install them immediately as attackers could be working on ways to leverage these flaws in their attacks now that their existence has been made public.