The Project Zero team at Google published a new advisory on Thursday, confirming it reported 18 zero-day vulnerabilities in Exynos Modems made by Samsung between late 2022 and early 2023.
Written by Project Zero head, Tim Willis, the blog post states that four of the vulnerabilities (CVE-2023-24033 and three others that have yet to be assigned CVE-IDs) enabled potential attackers to perform internet-to-baseband remote code execution (RCE).
“Those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction and require only that the attacker know the victim’s phone number,” Willis explained. “With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”
The remaining fourteen flaws would be less severe because in order to be exploited they need either a malicious mobile network operator or an attacker with local access to the device to perform RCE.
According to Samsung’s product security update webpage, the list of Exynos chipsets affected by the zero-days includes several devices. Google estimated that several Samsung smartphones, including the S22 line, may be affected. Several handheld devices by Vivo are also on the list, as are Google Pixel 6 and Pixel 7 series and all vehicles using the Exynos Auto T5123 chipset.
In the blog post, Willis explained that individual manufacturers are responsible for fixing the vulnerabilities mentioned above – Google has already patched those affecting Pixel phones.
“In the meantime, users with affected devices can protect themselves from the baseband remote code execution vulnerabilities mentioned in this post by turning off WiFi calling and Voice-over-LTE (VoLTE) in their device settings,” reads the post.
“As always, we encourage end users to update their devices as soon as possible to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities.”
The disclosure comes days after security researchers from Check Point Software shared information about a new Android vishing (voice phishing) malware tool targeting victims in South Korea.