Samsung not only uses modem chips from the Exynos series in its own smartphones or smartwatches, but also other manufacturers such as Vivo or Google. Now, Google’s Project Zero has found 18 zero-day vulnerabilities in these modem chips, which are also used in vehicles. Four of these vulnerabilities are classified as particularly critical because they allow external programs from the Internet to be executed on the mobile device. All you need to do is know the phone number.
The vulnerabilities in Samsung’s Exynos series of modem chips were discovered in late 2022 and early 2023. The four critical zero-day vulnerabilities (CVE-2023-24033 and three other unclassified bugs) allow “Internet-to-Baseband Remote Code Execution” (RCE). This allows attackers to run software from the Internet on the attacked modem without the user of the device being able to intervene or noticing.
Affected Exynos modem chips and devices
Samsung describes CVE-2023-24033 in its security updates like this: “The baseband software does not properly validate the format types of the Accept-Type attribute specified by the SDP (Session Description Protocol), which may result in a denial of service or code execution in the Samsung baseband modem.” Affected chips are Exynos Modem 5123 and 5300, Exynos 980 and 1080 and Exynos Auto T5123.
Based on this, Google’s Project Zero has identified the following devices as most likely to be vulnerable, but more could be affected:
- Samaung Smartphones of Serien S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04,
- Vivo smartphones S16, S15, S6, X70, X60 and X30 series,
- Google’s Pixel 6 and 7,
- Wearables with Exynos W920 chip and
- Vehicles with Exynos T5123 chip.
Few patches but a workaround
However, patches are not yet available for all affected devices. Samsung itself provides security updates, but most of the patches are not yet publicly available and users cannot install them themselves. Google has addressed CVE-2023-24033 for affected Pixel devices in the March 2023 security update. If this update is not yet suggested by the system itself, Pixel users should manually search for this 459 MB update in the settings (as with the Pixel 7 Pro by this author).
As long as there is no patch for the affected devices, beats Googles Project Zero einen Workaround before. Users should switch off WLAN telephony and Voice-over-LTE (VoLTE) in the settings. This would eliminate the risk of exploiting these vulnerabilities.
Early release due to high risk
Because these zero-day vulnerabilities are a rare combination of the vulnerability’s extended remote access and the speed with which an exploit could be created, Google’s Project Zero has made the information public ahead of schedule. Google’s Project Zero actually publishes security gaps with a delay, namely only 30 days after the update is available.
In addition to the four critical vulnerabilities, Google Project Zero found fourteen other vulnerabilities that were classified as less threatening. CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076 and nine others, still without CVE IDs, could still pose a risk. However, exploitation would require manual access to the device or a malicious wireless service provider.
(fds)
