Google uncovers severe security flaws in Samsung’s Exynos chips
Google’s Project Zero has discovered 18 zero-day vulnerabilities in Samsung’s Exynos chips, which attackers could use to completely compromise a phone without the user’s knowledge.
The flaws affect a wide range of Android smartphones from Samsung, Vivo, and Google, as well as wearables and vehicles that use Exynos W920 and Exynos Auto T5123 chipsets.
The four most severe of these eighteen vulnerabilities (CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498) allowed for remote code execution from the Internet to the baseband. Project Zero tests confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction and with only the victim’s phone number.
Four of the flaws allow attackers to remotely compromise a phone at the baseband level with no user interaction, granting them privileged access to cellular data passing in and out of the targeted device. These attacks can be carried out silently and remotely, and skilled attackers can create operational exploits to breach affected devices.
While the Pixel 6 and 7 handsets have already received a fix as part of the March 2023 security updates, patches for other devices will vary depending on the manufacturer’s timeline. Users are advised to disable Wi-Fi calling and Voice over LTE (VoLTE) in their device settings to eliminate the risk of exploiting these vulnerabilities. The 14 flaws which are less serious and necessitate either a malicious mobile network operator or an attacker with local access to the device.
Samsung Semiconductor has issued advisories regarding the Exynos chipsets that are vulnerable to these vulnerabilities. According to public websites that map chipsets to devices, affected products are likely to include mobile devices from Samsung, Vivo, and Google, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series, as well as the Pixel 6 and Pixel 7 series of devices from Google.
After reporting security flaws to a software or hardware vendor, Project Zero makes them public after a set period of time. Project Zero has delayed disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution due to a rare combination of the level of access these vulnerabilities provide and the speed with which a reliable operational exploit could be crafted. If the remaining fourteen vulnerabilities are not fixed within 90 days, they will be publicly disclosed.
The sources for this piece include an article in TheHackerNews.