- Google Project Zero researchers warn of very serious vulnerabilities in some Samsung Exynos chips
- Google has already released a first patch for its smartphones, but Samsung is still slow to react 90 days after the report
- While waiting for a patch, users can protect themselves if they disable Wi-Fi and 4G/5G (VoLTE) calling
Google Project Zero announces that it discovered (and reported) no less than 18 security flaws three months ago that affect Samsung Exynos chip modems. The component is present in a number of Samsung smartphones, but also the Google Pixel 6 and Google Pixel 7, many Vivo smartphones, wearables and even cars.
Among the 18 security issues identified, four are particularly critical and allow hackers to access and take control of devices simply by calling their victim. However, as the author of the discovery, researcher Maddie Stone of Project Zero, rightly laments, customers of the affected Samsung smartphones, in particular, have still not received any patch 90 days after the report.
Many Samsung Galaxy smartphones are affected, but not only
To give manufacturers time to develop security patches, the researchers leave a three-month period between the reporting and the disclosure of more precise technical details. Deadline usually respected by manufacturers, but not in this case, at least for all the references affected. According to Project Zero, this list of devices from Samsung, Google and other brands are affected by these security vulnerabilities:
- Smartphones Samsung Galaxy S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 et A04
- Smartphones Vivo S16, S15, S6, X70, X60 et X30
- Google Pixel 6 et Pixel 7
- Wearables using the Exynos W920 chip
- Vehicles equipped with the Exynos Auto T5123 chip
As for Samsung smartphones, we note that the Galaxy S23, all sold with the latest generation Qualcomm Snapdragon chips, are not affected by the flaws. Similarly, the Galaxy S21 and earlier models aren’t mentioned by Project Zero researchers — meaning they don’t incorporate the flaw that allows these 18 security flaws to exist.
However, Samsung has not yet issued any corrections. Google is a bit more considerate as the firm claims to have fixed the issues in its March security update for the Pixel 7. However, the update has yet to reach the Google Pixel 6, Pixel 6 Pro, and Pixel 6a, which means these phones are not currently safe from hackers.
Very concretely, the problem affects the baseband, a radio component that makes it possible to pick up and discern Bluetooth, WiFi, GSM, LTE (4G), and 5G signals. Normally, each stream is well isolated from the others, which prevents injecting malicious code or diverting the component from its intended purpose.
How do you protect yourself anyway?
To protect users, Google Project Zero has made the decision to hide the details of 4 particularly serious vulnerabilities. These vulnerabilities would indeed make it possible to execute code on the smartphone of the victims without action on their part, simply by calling the target smartphone or by connecting to it wirelessly by any other means.
The Project Zero researchers are however firm, and so that neither Samsung nor Google “fall asleep” on the subject, they announce that the details of these most serious flaws will be revealed in the coming weeks, that the affected firms whether or not they deliver patches to their users.
If you are affected by the problem and no manufacturer update is yet available, know that there is still an effective way to protect yourself. The only small problem is that this method will reduce the quality of your calls and make you consume more voice minutes (make sure that this does not involve additional costs with your current subscription).
Indeed, Google Project Zero researchers recommend disable Wi-Fi and 4G/5G (VoLTE) calling. At the same time, it is also recommended to check for updates and security patches for your device. It is likely that the manufacturers affected will eventually react, at least for relatively recent models and still supported for updates and security patches.
