Yesterday, Google’s Project Zero detailed multiple (as in a total of eighteen) internet to Baseband Remote Code Execution Vulnerabilities in Samsung-made Exynos Modems. These modems can be found in devices such as the Pixel 6 series, Pixel 7 series, Galaxy S22 series, and plenty more.
In layman’s, for those of us who are not security experts, the most critical of the vulnerabilities would allow a skilled attacker to create an exploit and compromise an affected phone simply by knowing a victim’s phone number. Four of the discovered vulnerabilities are so bad that Project Zero even made a policy exception with regard to its disclosure process. It’s that bad apparently.
Devices Likely Affected
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
- The Pixel 6 and Pixel 7 series of devices from Google; and
- any vehicles that use the Exynos Auto T5123 chipset.
So we’ve established that there’s an issue. The promising news is, the people who need to know and begin correcting these issues are aware and fixes are already on the way. For example, the March security patch for Pixel phones contains a fix for one of the vulnerabilities. In the meantime, Google’s Project Zero recommends that you avoid using WiFi Calling or VoLTE (Voice-Over-LTE) by physically going into your device settings and disabling them.
Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.
The theory has been tossed around that these vulnerabilities is what’s keeping the Pixel 6 lineup from receiving the latest security patch and Feature Drop. That seems very plausible at this point.
We’ll keep you posted as we learn more. If this news affects you, I also recommend checking out Project Zero’s post on the situation by following the link below.
// Project Zero