Friday, March 17th 2023

Google's Project Zero Discovers 18 Zero-Day Vulnerabilities in Exynos Chipsets

Google's internal team Project Zero, dedicated to the discovery and patching of zero-day vulnerabilities in mobile hardware, software, web browsers and open source libraries disclosed a series of vulnerabilities in Samsung's Exynos chipsets featured across a wide range of mobile devices. Four of these critical vulnerabilities allow for internet-to-baseband remote code execution, and testing conducted by Project Zero confirmed that an attacker can compromise a phone at the baseband level with only the victim's phone number. They believe that with sufficient skill an attacker could exploit these vulnerabilities completely silently and remotely. The fourteen other vulnerabilities are related but considered to not be as critical as they require a more extensive setup including a malicious mobile network operator or local access to the targeted device.

Due to the severity of the main four critical vulnerabilities Project Zero has delayed full disclosure on how the exploit works stating:
Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution.
While patch timelines vary by manufacturer, Google's March 2023 security updates patched the most critical CVE-2023-24033 vulnerability in certain Pixel 6 and Pixel 7 devices, but many devices remain vulnerable to some or all exploits in the report. Devices include:
  • Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series
  • Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
  • The Pixel 6 and Pixel 7 series of devices from Google
  • any wearables that use the Exynos W920 chipset
  • any vehicles that use the Exynos Auto T5123 chipset
Mitigations
Project Zero suggests that users with affected devices who are waiting for security patches can mitigate the risk of the main baseband remote code execution vulnerabilities by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. For some devices this is an easy task, however for Google Pixel devices VoLTE is enabled by default with no way to toggle it off. You can however still disable Wi-Fi calling in the Settings app under Network & internet > SIMs > Wi-Fi calling.
Source: Project Zero
Add your own comment

12 Comments on Google's Project Zero Discovers 18 Zero-Day Vulnerabilities in Exynos Chipsets

#2
Scrizz
lexluthermiesterWow! Someone's getting fired!
You mean promoted! :laugh:
Posted on Reply
#3
enb141
Doesn't matters, next year's samsung cell phones will come with newer Exynos.
Posted on Reply
#4
SerPiolo
only the victim's phone number
ONLY phone number? o_O
Posted on Reply
#5
kondamin
enb141Doesn't matters, next year's samsung cell phones will come with newer Exynos.
Most people don’t buy a new phone every year .
Posted on Reply
#6
BoboOOZ
SerPioloONLY phone number? o_O
Terrifying indeed.
Posted on Reply
#7
bonehead123
Next news headline:

"We have discovered another critical exploit in the Exynos Chipsets that will provide direct access to your brain any time/every time you use your phone, thereby granting full read/write permissions to the hackers", hehehe :D
Posted on Reply
#8
lemonadesoda
SSD strategy. Launch, sell, then show reason to buy again!
Posted on Reply
#9
enb141
kondaminMost people don’t buy a new phone every year .
Yes, but they will say, our new phones powered by our new Exynos are the most reliable and secure ever, so that means: buy our new cell phones and get rid of your old junk.
Posted on Reply
#10
sLowEnd
Those are some pretty big vulnerabilities for a wide variety of devices. :o
Posted on Reply
#11
Minus Infinity
Exynos is the gift that keeps on giving, and still Google is persisting with Exynos in the Pixel 8.
Posted on Reply
#12
unwind-protect
Meanwhile, Pixel 6 users did not get a March 2023 update from Google yet, but a huge warning that we are vulnerable via Wifi calling.
Posted on Reply
Add your own comment
Dec 21st, 2024 21:53 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts