Google’s Project Zero team has recently discovered severe 0-day vulnerabilities with the Samsung Exynos modems used on Samsung, Google Pixel phones, wearables, and other devices.
JOIN GOOGLE ON TELEGRAM
In the Exynos modem, Project Zero reported 18 vulnerabilities in Exynos modems in late 2022 and early 2023. The 4 vulnerabilities, including CVE-2023-24033, involve internet-to-baseband remote code execution:
” Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”
The remaining 14 vulnerabilities are considered not as severe as they “require either a malicious mobile network operator or an attacker with local access to the device.”
These devices are affected by the latest severe vulnerabilities:
According to Samsung Semiconductor, these are the affected chipsets:
- Exynos Modem 5123
- Exynos Modem 5300
- Exynos 980
- Exynos 1080
- Exynos Auto T5123.
Google compiled a list of likely affected products:
- Samsung Galaxy phones including Galaxy S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series
- Vivo phones including those in the S16, S15, S6, X70, X60, and X30 series
- Google Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro
- Any wearables that use the Exynos W920 chipset
- Any vehicles that use the Exynos Auto T5123 chipset
The main CVE-2023-24033 vulnerability was already fixed with the March 2023 security patch. The devices including Google Pixel 6, 6 Pro, and 6a have yet to get that March update and are currently vulnerable.
For the devices that haven’t yet received the fix, Google advises:
“Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.”
You can disable Wi-Fi calling on Pixel phones in Settings app > Network & internet > SIMs > Wi-Fi calling.