Photo credit: David Paul Morris/Bloomberg
Google’s security research unit is sounding the alarm over a series of vulnerabilities it has found in certain Samsung chips found in dozens of Android models, wearables and vehicles, and fears the flaws could soon be discovered and exploited.
In a blog post, Tim Willis, head of Google Project Zero, said that internal security researchers have found and reported 18 zero-day vulnerabilities in Exynos modems made by Samsung over the past few months, including four top-severity flaws, which could endanger the affected devices. silently and remotely” via the mobile network.
“Testing conducted by Project Zero confirms that these four vulnerabilities allow an attacker to remotely compromise a baseband-level phone without user interaction, and all the attacker needs to know is the victim’s phone number,” Willis said.
By being able to remotely execute code at a device’s baseband level — essentially the Exynos modems that convert cellular signals into digital data — an attacker would be able to gain nearly unrestricted access to the data going into an affected device – and flow out, including cellular calls, text messages, and cellular data without notifying the victim.
As far as disclosure goes, it’s rare for Google – or any security research firm – to sound an alarm on high-severity vulnerabilities before patching them. Google alerted the public to the risk, stating that experienced attackers “would be able to quickly create an operational exploit” with limited research and effort.
Project Zero researcher Maddie Stone wrote on Twitter that Samsung had 90 days to fix the bugs but hasn’t done so yet.
Samsung confirmed in a March 2023 security list that several Exynos modems are vulnerable and affecting several Android device manufacturers, but provided few other details.
According to Project Zero, affected devices include nearly a dozen Samsung models, Vivo devices, and Google’s own Pixel 6 and Pixel 7 phones. Affected devices also include wearables and vehicles that rely on Exynos chips to connect to the cellular network.
Google said patches will vary by manufacturer, but noted that its Pixel devices are already patched with the March security updates.
Until affected manufacturers push software updates to their customers, Google said that users who want to protect themselves can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, “removing the risk of exploitation of these vulnerabilities.” . ”
According to Google, the remaining 14 vulnerabilities were less severe because they either required access to a device or allowed insider or privileged access to a wireless carrier’s systems.