Image Credit: David Paul Morris/Bloomberg
Google’s security research unit is sounding the alarm over a set of vulnerabilities found in dozens of Android models, wearables and some Samsung chips in vehicles, fearing the flaws could soon be discovered and exploited.
A BlogTim Willis, Google’s Project Zero head, said that internal security researchers have found and reported 18 zero-day vulnerabilities in Samsung-made Exynos modems over the past few months, including four high-severity flaws through the cellular network.
“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user interaction, and the attacker must know the victim’s phone number,” Willis said.
By gaining the ability to remotely execute code at the baseband level of a device — essentially Exynos modems that convert cell signals into digital data — an attacker can gain nearly unfettered access to data flowing in and out of a victim device. Cellular calls, text messages and cell data without alerting the victim.
As disclosures go, it’s rare for Google — or any security research firm — to see high-severity vulnerabilities before they’re alerted. Google noted the risk to the public, saying skilled attackers “can quickly develop a working exploit” with limited research and effort.
Project Zero researcher Maddy Stone He wrote on Twitter Samsung had 90 days to fix the bugs, but still not.
Samsung confirmed March 2023 Security List Several Exynos modems are vulnerable, affecting several Android device manufacturers, but provided little other detail.
According to Project Zero, the affected devices include nearly a dozen Samsung models, Vivo devices, and Google’s own Pixel 6 and Pixel 7 handsets. Affected devices include wearables and vehicles that rely on Exynos chips to connect to cellular networks.
Google said patches vary by manufacturer, but noted that its Pixel devices are already patched with it. March security updates.
Users who want to protect themselves can disable Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings until the affected manufacturers issue software updates to their customers, which will “remove the risk of exploiting these vulnerabilities.”
Google said the remaining 14 vulnerabilities were less severe because they required access to the device or internal or privileged access to the cell carrier’s settings.