Google’s Project Zero team, responsible for finding zero-day bugs, has recently uncovered 18 security flaws in Samsung’s Exynos chipsets used in mobile devices, wearables, and cars. These vulnerabilities were reported between late 2022 and early 2023, and four of them were classified as the most serious, allowing remote code execution (RCE) from the internet to the baseband.
What are the vulnerabilities?
The internet-to-baseband RCE bugs, including CVE-2023-24033 and three other vulnerabilities that are still awaiting CVE-ID, can lead to a compromise of vulnerable devices remotely without the victim’s knowledge or consent. This type of attack requires only the victim’s phone number, according to Tim Willis, Head of Project Zero.
Why are these vulnerabilities particularly dangerous?
Due to the level of access and the speed with which a reliable operational exploit can be crafted, disclosure for the four vulnerabilities that allow for internet-to-baseband RCE is being delayed. Experienced attackers could easily create an exploit that can remotely compromise vulnerable devices without drawing the targets’ attention.
What devices are affected?
Based on the list provided by Samsung, the affected devices include:
- Samsung’s mobile devices in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series
- Vivo’s mobile devices in the S16, S15, S6, X70, X60, and X30 series
- Google’s Pixel 6 and Pixel 7 series of devices
- Any wearables that use the Exynos W920 chipset
- Vehicles that use the Exynos Auto T5123 chipset
What can be done?
While Samsung has provided security updates addressing these vulnerabilities to other vendors, the patches are not yet public and cannot be applied by all affected users. Each manufacturer’s patch timeline for their devices will differ. Google, for instance, has already addressed CVE-2023-24033 for impacted Pixel devices in its March 2023 security updates. Until patches are available, users can protect their devices by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) to remove the attack vector.
Samsung’s response
Samsung confirmed Project Zero’s workaround, stating that “users can disable WiFi calling and VoLTE to mitigate the impact of this vulnerability.” They also encourage end-users to update their devices as soon as possible to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities.