Google's Project Zero Discovers 18 Zero-Day Vulnerabilities in Exynos Chipsets

[Fouquin]

Google's internal team Project Zero, dedicated to the discovery and patching of zero-day vulnerabilities in mobile hardware, software, web browsers and open source libraries disclosed a series of vulnerabilities in Samsung's Exynos chipsets featured across a wide range of mobile devices. Four of these critical vulnerabilities allow for internet-to-baseband remote code execution, and testing conducted by Project Zero confirmed that an attacker can compromise a phone at the baseband level with only the victim's phone number. They believe that with sufficient skill an attacker could exploit these vulnerabilities completely silently and remotely. The fourteen other vulnerabilities are related but considered to not be as critical as they require a more extensive setup including a malicious mobile network operator or local access to the targeted device.

Due to the severity of the main four critical vulnerabilities Project Zero has delayed full disclosure on how the exploit works stating:

Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution.

While patch timelines vary by manufacturer, Google's March 2023 security updates patched the most critical CVE-2023-24033 vulnerability in certain Pixel 6 and Pixel 7 devices, but many devices remain vulnerable to some or all exploits in the report. Devices include:

• Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series
• Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
• The Pixel 6 and Pixel 7 series of devices from Google
• any wearables that use the Exynos W920 chipset
• any vehicles that use the Exynos Auto T5123 chipset

Mitigations
Project Zero suggests that users with affected devices who are waiting for security patches can mitigate the risk of the main baseband remote code execution vulnerabilities by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. For some devices this is an easy task, however for Google Pixel devices VoLTE is enabled by default with no way to toggle it off. You can however still disable Wi-Fi calling in the Settings app under Network & internet > SIMs > Wi-Fi calling.

View at TechPowerUp Main Site | Source

 

[lexluthermiester]

Wow! Someone's getting fired!

 

[Scrizz]

Wow! Someone's getting fired!

You mean promoted!

 

[enb141]

Doesn't matters, next year's samsung cell phones will come with newer Exynos.

 

[SerPiolo]

only the victim's phone number

ONLY phone number?

 

[kondamin]

Doesn't matters, next year's samsung cell phones will come with newer Exynos.

Most people don’t buy a new phone every year .

 

[BoboOOZ]

ONLY phone number?

Terrifying indeed.

 

[bonehead123]

Next news headline:

"We have discovered another critical exploit in the Exynos Chipsets that will provide direct access to your brain any time/every time you use your phone, thereby granting full read/write permissions to the hackers", hehehe

 

[lemonadesoda]

SSD strategy. Launch, sell, then show reason to buy again!

 

[enb141]

Most people don’t buy a new phone every year .

Yes, but they will say, our new phones powered by our new Exynos are the most reliable and secure ever, so that means: buy our new cell phones and get rid of your old junk.

 

[sLowEnd]

Those are some pretty big vulnerabilities for a wide variety of devices.

 

[Minus Infinity]

Exynos is the gift that keeps on giving, and still Google is persisting with Exynos in the Pixel 8.

 

[unwind-protect]

Meanwhile, Pixel 6 users did not get a March 2023 update from Google yet, but a huge warning that we are vulnerable via Wifi calling.