Samsung is taking forever to fix lethal Exynos bug affecting Galaxy S22 and Pixel 6
Several popular Android phones with Samsung-made Exynos chips have a security hole that could give hackers a frightening amount of control over the devices.
Project Zero, a team of security analysts at Google that aims to protect people from targeted attacks, has found eighteen 0-day vulnerabilities in Exynos modems. A 0-day vulnerability is a flaw that was previously unknown to the product vendor.
Four vulnerabilities could give hackers easy access to affected phones
The flaws were discovered between late 2022 and early 2023 and four of them allowed for internet-to-baseband remote code execution. An attacker would only need someone's phone number to exploit this vulnerability and compromise the victim's phone silently and remotely.
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely." - Tim Willis, Project Zero
The remaining related vulnerabilities are not as severe and would require a malicious mobile network operator or direct access to a device.
Affected smartphones and watches
Samsung is aware of the Exynos bug
According to Samsung's website, the vulnerabilities are in its Exynos Modem 5123 and Exynos Modem 5300, and Exynos 980 and Exynos 1080 chipsets (via 9to5Google). These chips are found in the following devices:
- Samsung Galaxy S22 (only the Exynos-powered variants sold in the UK and Europe), A71, A53, A33, A21s, A13, A12, A04, M33, M13, and M12 series
- Samsung Galaxy Watch 5 and Watch 4
- Vivo S16, S15, S6, X70, X60 and X30 series
- Google Pixel 7 duo, Pixel 6 range, and Pixel 6a
The March software update for the Pixel 7 addressed the most severe vulnerability, CVE-2023-24033. The Pixel 6 and 6a will reportedly get the update later this month. Samsung and Vivo devices remain unprotected, even though Samsung was alerted about the issue 90 days ago.
Project Zero researcher says Samsung was alerted about the issue long ago
Project Zero advises that until a fix is rolled out, users who want to protect their devices from the baseband remote code execution vulnerabilities should turn off Wi-Fi calling and Voice-over-LTE (VoLTE).
Since the four critical bugs are easy to exploit, Project Zero has decided to make an exception to its disclosure policy and is not revealing additional details that may make a hacker's job easier.
Things that are NOT allowed: