Dangerous vulnerabilities in Samsung and Google smartphones

Critical security gaps exist in many current smartphones and other devices, some of which cannot yet be closed by updates. Security researchers from Google's Project Zero write that the four most serious vulnerabilities out of a total of 18 allowed attackers to gain full control over devices. All you would need to know is a victim's phone number.

It is assumed that experienced attackers could quickly create an operational exploit without much effort in order to remotely compromise affected devices unnoticed, according to the blog post. The gaps are therefore in Exynos modems from Samsung. Not only devices from the South Korean company are threatened, but also those of other manufacturers.

Google itself was also affected

Based on the list of vulnerable Exynos chipsets, Project Zero assumes that the Samsung Galaxy smartphones S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 as well as Google's Pixel 6 and Pixel 7 devices are affected. The vulnerability also threatens all smartwatches and other wearables with the Exynos W920 chipset and all cars that have the Exynos Auto T5123 installed.

With the Pixel 7 and Pixel 7 Pro, the vulnerabilities are currently being fixed by the March security update. When the update for the Pixel 6 series and the other devices mentioned will come is still open. The security researchers advise their users to disable Wifi calls and VoLTE in the settings. This would eliminate the threat, they write.

Typically, Project Zero discloses vulnerabilities at a given point in time, whether or not a vendor has responded by then. In the case of the four particularly critical vulnerabilities, the security researchers make a rare exception and continue to wait. One reason for this is that attackers can very quickly exploit the vulnerabilities with the information.

Google is calling attention to a set of severe security flaws in Samsung's Exynos chips, some of which could be exploited remotely to completely compromise a phone without requiring any user interaction.

The 18 zero-day vulnerabilities affect a wide range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123 chipset.

Four of the 18 flaws make it possible for a threat actor to achieve internet-to-Samsung, Vivo, and Google, as well as wearables using the Exynos W920 chipset and vehicleses in late 2022 and early 2023, said.

"[The] four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number," Tim Willis, head of Google Project Zero, said.

In doing so, a threat actor could gain entrenched access to cellular information passing in and out of the targeted device. Additional details about the bugs have been withheld.

"Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung's Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings," said Willis.

Turning off these settings will remove the exploitation risk of these vulnerabilities, he added.

The affected mobile devices are from Samsung, Vivo, Google (Pixel 6 and Pixel 7 series); any wearables that use the Exynos W920 chipset; and any vehicles that use the Exynos Auto T5123 chipset.

Google expects that patch timelines will vary per manufacturer, and affected Pixel devices have already received a fix.

"As always, we encourage end users to update their devices as soon as possible, to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities," said Google.