Google’s security experts have warned people who use Android devices that several zero-day vulnerabilities in some Samsung chipsets could let an attacker take over and control a user’s phone from afar if they know the phone number.
Tim Willis, who is in charge of the team that looks for bugs, says that Google’s Project Zero found and reported 18 of these bugs in Samsung’s Exynos cellular modem firmware between late 2022 and early this year. Four of the 18 zero-day flaws can let code run from the internet to the baseband. The baseband or modem part of a phone or other device usually has low-level access to all the hardware. If there are bugs in its code, an intruder can use them to take full control of the phone or other device. For now, the technical details of these holes are being kept secret to protect people who use gear that is weak.
“Project Zero tests confirm that these four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without the user’s help. All the attacker needs is the victim’s phone number,” Willis wrote in a breakdown of the security flaws.
“With only a little more research and development, we think that skilled attackers could quickly make an operational exploit that would let them take over affected devices silently and from a distance,” he said.
One of these four serious bugs has been given a CVE number, CVE-2023-24033, so that it can be tracked. The bug IDs for the other three need to be found.
Willis says that the other 14 problems aren’t as bad and can only be exploited by “a malicious mobile network operator or an attacker with local access to the device.” These include CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076, and nine other vulnerabilities that don’t yet have names.
Devices with chips from the Samsung S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series, the Vivo S16, S15, S6, X70, X60, and X30 series, the Google Pixel 6 and Pixel 7 series, and vehicles with the Exynos Auto T5123 chipset are all affected.
In its March security update, Google fixed CVE-2023-24033, which was a bug that affected Pixel devices. Willis says that you should turn off Wi-Fi calling and Voice-over-LTE (VoLTE) to protect against baseband remote code execution if you’re using a vulnerable device with Samsung’s silicon. This is until the other companies fix the holes.