Exynos modem vulnerabilities
Known for finding 0-days, Project Zero reported 18 vulnerabilities in Exynos modems in late 2022 and early 2023. Four of the vulnerabilities, including CVE-2023-24033, involve Internet-to-baseband remote code execution (emphasis ours):
Testing by Project Zero confirms that these four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user interaction and only requires the attacker to know the victim’s phone number. With limited further research and development, we believe that skilled attackers would be able to do so quickly create an operational exploit to compromise affected devices silently and remotely.
Meanwhile, the other 14 vulnerabilities are considered less serious as they “require either a malicious mobile network operator or an attacker with local access to the device.”
Project Zero is making a “policy exception to delay disclosure of the four vulnerabilities that allow Internet-to-baseband remote code execution.” This is “due to a very rare combination of level of access that these vulnerabilities provide and the speed at which we believe a reliable operational exploit could be created.”
Affected devices
According to Samsung Semiconductor (January 2023), these are the affected chipsets: Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080 and Exynos Auto T5123. Google has compiled a list of likely affected products:
- Samsung Galaxy phones including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series
- Vivo phones including those in the S16, S15, S6, X70, X60 and X30 series
- Google Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro
- All wearables using the Exynos W920 chipset
- All vehicles using the Exynos Auto T5123 chipset
In addition to the Pixel 6 (Exynos 5123) and 7 (Exynos 5300), this includes the S22 as well as the Galaxy Watch 4 and 5. On Pixel phones, the major CVE-2023-24033 vulnerability was fixed with the March 2023 security patch that rolled out on Monday, but should have arrived a week earlier.
Turn off VoLTE and Wi-Fi calling
However, the Pixel 6, 6 Pro and 6a have yet to see that March update and are currently vulnerable. Project Zero’s advice to those affected is the following:
Until security updates are available, users who want to protect themselves against the baseband remote code execution vulnerabilities in Samsung’s Exynos chipset can disable Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Disabling these settings will remove the exploitation risk of these vulnerabilities.
According to an older Sprint/T-Mobile support article, Google Pixel devices received software updates in 2021 that automatically enabled VoLTE and removed the switch. You can disable Wi-Fi calling on Pixel phones in the Settings app > Network & Internet > SIM card > Wi-Fi calling.
Updating…
FTC: We use income earning auto affiliate links. More.
Check out 9to5Google on YouTube for more news:
