Published March 17, 2023
Author: Ash Khan

 

Google’s security research site warns of a troubling group of vulnerabilities disclosed in Samsung semiconductors powering dozens of Android devices. The vulnerability could be exploited within a short period, according to Google.

Google Project Zero in-house security researchers reported 18 zero-day vulnerabilities in Samsung Exynos modems over the last few months. These include four high-severity flaws that could compromise affected devices “silently and remotely” over the cellular network.

 

Project Zero tests demonstrate that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level. Moreover, it is done with no user input and just requires the attacker to know the victim’s phone number.

 

The attacker would be able to gain near-unrestricted access to the data flowing in and out of an affected device. This data includes cellular calls, text messages, and cell data. As well as enabling remote execution of code at the level of the baseband of a device. Furthermore, it essentially accesses the Exynos modems that convert cell signals to digital data.

 

It’s unusual for Google workspace company or any cybersecurity website research team, to warn about high-severity vulnerabilities before they’re addressed. The company stated that competent attackers would be able to swiftly construct an operational vulnerability with minimum study and effort.

According to a Project Zero researcher, Samsung has 90 days to fix the issues but has yet to do so.

 

Susceptible Exynos modems

In March 2023 security listing, the phone company revealed that multiple Exynos modems are susceptible. Thus, affecting several Android device makers, however, they released very few further details.

 

Affected smartphones include roughly a dozen Samsung models, Vivo cellphones, and Google’s own Pixel 6 and Pixel 7 handsets. Furthermore, wearables and automobiles that use Exynos processors to connect to the cellular network are also affected.

 

Workspace of Google‘s parent company stated that fixes will vary by manufacturer. However, the Pixel devices have already been patched with its March security upgrades.

Those who want to protect themselves can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. This would eliminate the exploitation risk of these vulnerabilities until impacted manufacturers issue software patches to their consumers.

 

Google listed 14 remaining vulnerabilities that were less serious since they required insider access or privileged access to a mobile carrier’s network.