The flaws could compromise certain Samsung chips in dozens of Android models, wearables, and vehicles. Project Zero head Tim Willis confirmed in a recent blog post that the team had discovered and reported 18 zero-day vulnerabilities in Exynos modems produced by Samsung.
They include four top-severity flaws that could allow attackers to infiltrate affected devices “silently and remotely” over the cellular network.
The four vulnerabilities could allow an attacker to compromise a phone at the baseband level with no user interaction and just the victim’s phone number. With this ability, attackers would have unfettered access to incoming and outgoing cellular calls, text messages, and cell data without alerting the victim.
Samsung hasn’t said much
Despite the severity of the vulnerabilities, it is rare for Google or any security research firm to sound the alarm before the issues are patched.
Project Zero researcher Maddie Stone has announced on Twitter that Samsung has 90 days to patch the bugs, but no action has been taken so far. Samsung has confirmed that several Exynos modems are vulnerable, affecting numerous Android device manufacturers. However, the company has provided little other information.
According to Project Zero, the impacted devices include nearly a dozen Samsung models, Vivo devices, and Google’s Pixel 6 and Pixel 7 handsets. Wearables and vehicles that rely on Exynos chips for cellular network connectivity are also affected.
Google has confirmed that its Pixel devices are already patched
Google has advised users to switch off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings to “remove the exploitation risk of these vulnerabilities” until affected manufacturers push software updates to their customers.
The remaining 14 vulnerabilities are deemed less severe as they require access to a device or insider or privileged access to a cell carrier’s systems. The discovery underscores the need for manufacturers to prioritize security and for users to be vigilant and proactive in safeguarding their devices.
Also read: Samsung will allow future smartphones to connect to satellites