Google is drawing attention to a series of dangerous security flaws in Samsung’s Exynos chips, some of which could be exploited remotely to completely compromise a phone without requiring user interaction.
Project Zero, Google’s zero-day vulnerability hunting team, discovered and reported 18 vulnerabilities in Samsung’s Exynos chips. More precisely, the culprit here would be the modem of the chips. It is used in the company’s mobile devices, wearables and cars. Among the devices concerned are also the Pixel 6 and 7, which use a Tensor chip based on Exynos processors, but also certain mid-range smartphones from Vivo.
Google’s Project Zero manager Tim Willis said in a blog post that four of these vulnerabilities, including CVE-2023-24033, involve remote code execution from the internet to baseband, c that is to say that they allow a hacker to easily gain access to your smartphone remotelyand that without you being able to realize it.
Also read – Galaxy S22 is hacked in just 55 seconds by hackers
Your phone number is enough to hack your smartphone
Testing by Project Zero has therefore confirmed that a few vulnerabilities allow an attacker to remotely compromise a phone without any user interaction, and you only need to know the victim’s phone number to take control of the device.
Here is the list of vulnerable devices:
- Samsung mobile devices including S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series
- Vivo mobile devices including S16, S15, S6, X70, X60 and X30 series
- Google Pixel 6 and Pixel 7 series
- Connected objects using the Exynos W920 chip, including the Samsung Galaxy Watch 4 and 5
- Vehicles using the Exynos Auto T5123 chip
“As always, we encourage end users to update their devices as soon as possible, to ensure they are using the latest versions that fix disclosed and undisclosed security vulnerabilities.“, added Willis. For your security, it is always highly recommended to update your device as soon as a new version is available.
The remaining 14 flaws (including CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076, and nine more pending CVE-IDs) are not as critical, but still pose a risk.
It is far from being the first time that Samsung smartphones have been victims of zero-day flaws. Already at the end of last year, Project Zero had discovered several unprecedented security flaws in the mid-range Galaxy. These vulnerabilities had been actively exploited, and only Exynos chips were affected. Last spring, millions of Samsung smartphones were also victims of a major security breach that also allowed to take full control of devices remotely through a malicious application.
March 2023 security patch fixes one of the flaws
Google likely already patched the CVE-2023-24033 flaw in the March 2023 security patch, but not all affected devices have received the update yet. While waiting for a fix, Project Zero advises as a precaution to disable Wi-Fi and VoLTE calling to eliminate the risk of hacking.
” Until security updates are available, users who want to protect against baseband remote code execution vulnerabilities in Samsung’s Exynos chips can disable Wi-Fi calling and voicemail. voice over LTE (VoLTE) in their device settings “said Tim Willis.
Traditionally, security researchers wait until a fix is available before announcing they’ve found the bug, or until some time has passed since they reported it without any fix is in sight. Henceforth, pirates could well take advantage of the opportunity to hack smartphones before a patch is deployed on some of the devices.