Security

Patches

Google: Turn off Wi-Fi calling, VoLTE to protect your Android from Samsung hijack bugs

Four flaws open mobiles, cars to remote-control at baseband level with just a phone number


Google security analysts have warned Android device users that several zero-day vulnerabilities in some Samsung chipsets could allow an attacker to completely hijack and remote-control their handsets knowing just the phone number.

Between late 2022 and early this year, Google's Project Zero found and reported 18 of these bugs in Samsung's Exynos cellular modem firmware, according to Tim Willis, who heads the bug-hunting team.

Four of the 18 zero-day flaws can allow internet-to-baseband remote code execution. The baseband, or modem, portion of a device typically has privileged low-level access to all the hardware, and so exploiting bugs within its code can give an intruder full control over the phone or device. Technical details of these holes have been withheld for now to protect users of vulnerable gear.

"Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number," Willis wrote in a breakdown of the security flaws. 

Skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely

"With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely," he added.

One of these four severe bugs has been assigned a CVE number, and it's tracked as CVE-2023-24033. The other three are awaiting bug IDs.

The other 14 issues aren't as severe and require "either a malicious mobile network operator or an attacker with local access to the device," according to Willis. These include CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and nine other vulnerabilities that haven't yet been assigned identifiers.

According to Google, the following devices use potentially vulnerable Exynos modems: Samsung's S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 products; Vivo mobile devices including the S16, S15, S6, X70, X60 and X30 series; the Pixel 6 and Pixel 7 series of devices from Google; and vehicles that use the Exynos Auto T5123 chipset.

Google issued a fix for CVE-2023-24033 affecting Pixel devices in its March security update. Until the other manufacturers plug the holes, Willis suggests turning off Wi-Fi calling and Voice-over-LTE (VoLTE) to protect against baseband remote code execution, if you're using a vulnerable device powered by Samsung's silicon.

And, as always, patch your gadgets as soon as the software updates become available.

Google's team — and most security researchers — adhere to a 90-day disclosure timeline, meaning after they report the bug to the hardware or software vendor, the vendor has 90 days to issue a fix. After that, the researchers disclose the flaw to the public.

However, in some very rare and critical cases, where the "attackers would benefit significantly more than defenders if a vulnerability was disclosed," the bug hunters make an exception and delay disclosure, Willis noted. That's the case with the four zero-days that allow for internet-to-baseband RCE.

Of the 14 remaining less severe flaws, Project Zero disclosed four that exceeded its 90-day deadline. The other 10 will be released to the public if they hit the 90-day mark without fixes, Willis added. ®

Send us news
40 Comments

Miscreants are exploiting enterprise tech zero days more and more, Google warns

Crooks know where the big bucks are

In-app browsers are still a privacy, security, and choice problem

Regulators reminded that longstanding concerns haven't been addressed

Google gooses Safe Browsing with real-time protection that doesn't leak to ad giant

Rare occasion when you do want Big Tech to make a hash of it

Don't be like these 900+ websites and expose millions of passwords via Firebase

Warning: Poorly configured Google Cloud databases spill billing info, plaintext credentials

Poking holes in Google tech bagged bug hunters $10M

A $2M drop from previous year. So … things are more secure?

Why France this week fined Google €250M over web news

Google pulls a few coins from the sofa and says whatever, just clarify who needs to be paid for what

Whizkids jimmy OpenAI, Google's closed models

Infosec folk aren’t thrilled that if you poke APIs enough, you learn AI's secrets

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

Google's AI-powered search results are loaded with spammy, scammy garbage

Be careful where you click

First the Super Bowl, now this: Kansas City getting a Google bit barn

Exact location, power source, and go-live date unknown. But don't worry, there'll be digital jobs

India's competition regulator orders Google Play payment probe

Choice of alternative payment providers labelled 'illusory' – because none existed