Over a dozen zero-day bugs rooted in Samsung's Exynos chipsets and used in a bevy of devices ranging from Android handsets, wearables and in-car infotainment systems are vulnerable to attack, according to Google's Project Zero.
Researchers warn 18 zero-day vulnerabilities, each with a CVSS severity rating of high, could allow a range of attacks, the most severe allowing adversaries to remotely compromise a phone at the baseband level with no user interaction. The only prerequisite for the attack is knowing the target’s phone number.
The class of flaws are baseband remote code execution vulnerabilities and impact Samsung’s Exynos chipsets. The chipsets are tied to Samsung’s use of Wi-Fi calling and Voice-over-LTE (VoLTE) within the Android operating system.
“The four most severe of these eighteen vulnerabilities (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution,” wrote Google’s research team.
Baseband is a type of transmission signal used by telecommunication devices (phones, wearables and telematics) that is similar to broadband. Where broadband uses radiofrequency, baseband uses bidirectional digital signaling at higher frequencies.
“With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” Google said.
Affected devices include those running Exynos chipsets and include:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
- The Pixel 6 and Pixel 7 series of devices from Google; and
- any vehicles that use the Exynos Auto T5123 chipset.
Fourteen less severe vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and nine other vulnerabilities that are yet to be assigned CVE-IDs) require either a malicious mobile network operator or an attacker with local access to the device, Google said.
Google advises; “until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.”
Chipsets impacted by the flaw Exynos W920 (used in wearables), Exynos Auto T5123 (used in vehicles) and nearly a dozen additional chipsets listed by Samsung.
Google chose to publicly release limited details of eight of the 18 vulnerabilities on Thursday because Samsung exceeded Project Zero's standard 90-day disclosure deadline. "The remaining ten vulnerabilities in this set have not yet hit their 90-day deadline, but will be publicly disclosed at that point if they are still unfixed," Google Said.
Technical specifics of the flaws are being withheld by Google at this time out of concern detailed specifics could allow attackers could use the information in attacks against unpatched devices. "With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely," Google wrote.