Google's internal team Project Zero, dedicated to the discovery and patching of zero-day vulnerabilities in mobile hardware, software, web browsers and open source libraries disclosed a series of vulnerabilities in Samsung's Exynos chipsets featured across a wide range of mobile devices. Four of these critical vulnerabilities allow for internet-to-baseband remote code execution, and testing conducted by Project Zero confirmed that an attacker can compromise a phone at the baseband level with only the victim's phone number. They believe that with sufficient skill an attacker could exploit these vulnerabilities completely silently and remotely. The fourteen other vulnerabilities are related but considered to not be as critical as they require a more extensive setup including a malicious mobile network operator or local access to the targeted device.
Due to the severity of the main four critical vulnerabilities Project Zero has delayed full disclosure on how the exploit works stating:
While patch timelines vary by manufacturer, Google's March 2023 security updates patched the most critical CVE-2023-24033 vulnerability in certain Pixel 6 and Pixel 7 devices, but many devices remain vulnerable to some or all exploits in the report. Devices include:
Project Zero suggests that users with affected devices who are waiting for security patches can mitigate the risk of the main baseband remote code execution vulnerabilities by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. For some devices this is an easy task, however for Google Pixel devices VoLTE is enabled by default with no way to toggle it off. You can however still disable Wi-Fi calling in the Settings app under Network & internet > SIMs > Wi-Fi calling.
View at TechPowerUp Main Site | Source
Due to the severity of the main four critical vulnerabilities Project Zero has delayed full disclosure on how the exploit works stating:
Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution.
While patch timelines vary by manufacturer, Google's March 2023 security updates patched the most critical CVE-2023-24033 vulnerability in certain Pixel 6 and Pixel 7 devices, but many devices remain vulnerable to some or all exploits in the report. Devices include:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
- The Pixel 6 and Pixel 7 series of devices from Google
- any wearables that use the Exynos W920 chipset
- any vehicles that use the Exynos Auto T5123 chipset
Project Zero suggests that users with affected devices who are waiting for security patches can mitigate the risk of the main baseband remote code execution vulnerabilities by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. For some devices this is an easy task, however for Google Pixel devices VoLTE is enabled by default with no way to toggle it off. You can however still disable Wi-Fi calling in the Settings app under Network & internet > SIMs > Wi-Fi calling.
View at TechPowerUp Main Site | Source