Image credits: David Paul Morris/Bloomberg
Google’s security research unit is sounding the alarm about a set of vulnerabilities it has found in some Samsung chips embedded in dozens of Android models, wearables and vehicles, fearing the flaws could soon be discovered and exploited.
in blog postThe head of Project Zero at Google, Tim Willis, said that internal security researchers found and reported 18 zero-day vulnerabilities in Exynos modems produced by Samsung over the past few months, including four critical flaws that could “silently” compromise affected devices. and remotely” over the cellular network.
“Tests conducted by Project Zero confirm that these four vulnerabilities allow an attacker to compromise a phone at the baseband level without user intervention, only requiring that the attacker know the victim’s phone number,” Willis said.
By gaining the ability to remotely run code at the device’s baseband level—essentially Exynos modems that convert cell signals into digital data—an attacker would be able to gain near-unfettered access to the data flowing in and out of the affected device, including Cellular calls, text messages, and mobile data without alerting the victim.
As disclosures continue, it’s rare to see Google — or any security research firm — sound the alarm about critical vulnerabilities before they’re patched. Google noted the risk to the public, stating that skilled attackers “will be able to quickly create an operational exploit” with limited research and effort.
Project Zero researcher Maddie Stone wrote on Twitter That Samsung has 90 days to rectify the errors, but they haven’t done so yet.
Samsung confirmed in Security List in March 2023 That several Exynos modems are vulnerable, affecting many Android device manufacturers, but offers few other details.
According to Project Zero, the affected devices include nearly a dozen Samsung models, Vivo devices, and Google’s own Pixel 6 and Pixel 7 phones. Affected devices also include wearables and vehicles that rely on Exynos chips to connect to the cellular network.
Google said the patches will vary depending on the manufacturer, but noted that its Pixel devices have already been patched March security updates.
Until affected manufacturers push software updates to their customers, Google said that users who want to protect themselves can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, which “removes the risk of these vulnerabilities being exploited.”
Google said the remaining 14 vulnerabilities were less severe because they required either to have access to a device or to have internal or privileged access to the cellular carrier’s systems.
“Alcohol maven. Evil bacon lover. Wannabe social media geek. Travel guru. Amateur introvert. Pop culture nerd.”