Project Zero , Google's vulnerability research team, announced Thursday the discovery of 18 exposed vulnerabilities in Samsung's Exynos chipset used in mobile devices, wearable devices, and cars.
The team reported security vulnerabilities in Exynos modems during the period from late 2022 to early 2023. According to the team, 4 out of 18 exposed vulnerabilities are the most critical, as they allow remote code execution from the Internet to the baseband. .
Samsung explained that remote code execution vulnerabilities from the Internet to the baseband allow attackers to remotely compromise vulnerable devices without any user interaction.
According to Tim Willis, president of Project Zero, the only information needed to launch the attacks is the victim's phone number. To make matters worse, sophisticated attackers can easily create a vulnerability capable of remotely infecting vulnerable devices without alerting targets.
“Given the very rare combination of the level of access these vulnerabilities provide and the speed with which we believe reliable exploits can be crafted, we decided to make a policy exception to delay disclosure of the four vulnerabilities that allow remote code execution from the Internet into the domain,” Willis said. The basic ».
The remaining 14 vulnerabilities are not critical, but still pose a risk. Successful exploitation requires physical access to hardware, or a malicious operator of the mobile network.
Based on the list of affected chipsets provided by Samsung, the list of affected devices includes, but is not limited to, Samsung smartphones, including: (Galaxy S22) series, (Galaxy M33), (Galaxy M13), and (Galaxy M12), (Galaxy A71), (Galaxy A53), (Galaxy A33), (Galaxy A21), (Galaxy A13), and (Galaxy A04).
The list also includes: mobile devices from Vivo, including: (Vivo S16), (Vivo S15), (Vivo S6), (Vivo X70), (Vivo X60), and (Vivo X30). In addition to phones (Pixel 6) and (Pixel 7) from Google. It also includes any wearable device that uses the (Exynos W920) chipset, and any vehicle that uses the (Exynos Auto T5123) chipset.
While Samsung has already provided security updates that address these vulnerabilities in affected chipsets to other vendors, the patches are not universal and not all affected users can apply them.
The timetable for correcting their devices will vary by company, but, for example, Google addressed the remote code execution vulnerability for affected (Pixel) phones in the March 2023 security updates.
However, until patches are available, users can thwart exploit attempts targeting Samsung's Exynos chipset in their devices by disabling Wi-Fi and Voice-over-LTE (VoLTE) to remove the attack vector.
Samsung also confirmed the (Project Zero) team's solution, saying, "Users can disable WiFi and VoLTE calling to mitigate the impact of this vulnerability."
"As always, we encourage end users to update their devices as soon as possible to ensure they are running the latest versions that fix both discovered and undiscovered vulnerabilities," Willis added.
Tags
Cyber Security