Yesterday, Google’s Project Zero detailed multiple (in total Eighteen) Internet from baseband remote code execution vulnerability in Samsung-made Exynos modems. These modems can be found in devices like Pixel 6 series, Pixel 7 series, Galaxy S22 series and more.
In layman’s terms, those of us who aren’t security experts, the most critical vulnerability allows a skilled attacker to exploit and compromise a compromised phone simply by knowing a victim’s phone number. Four of the vulnerabilities discovered are so bad that Project Zero even made a policy exception to its disclosure process That’s apparently bad.
The device is probably affected
- Mobile devices from Samsung including S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
- Mobile devices from Vivo, including the S16, S15, S6, X70, X60 and X30 series;
- Pixel 6 and Pixel 7 series devices from Google; And
- Any vehicle uses the Exynos Auto T5123 chipset.
So we’ve established that there is a problem. The promising news is that those who need to know and begin correcting these problems are aware and solutions are already on the way For example, the March security patch for Pixel phones contains a fix for a vulnerability. Meanwhile, Google’s Project Zero recommends that you avoid using WiFi calling or VoLTE (Voice-over-LTE) by physically going to your device settings and disabling it.
Until security updates are available, users who want to protect themselves from the baseband remote code execution vulnerability in Samsung’s Exynos chipset can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the risk of exploiting these vulnerabilities
The theory has been floated around that these vulnerabilities are what are preventing the Pixel 6 lineup from receiving the latest security patches and feature drops. At this point it seems very reasonable.
We’ll keep you posted as we learn more. If this news affects you, I recommend checking out Project Zero’s post on the situation by following the link below.
// project zero