Google’s security research unit has discovered a few flaws and is warning about a set of vulnerabilities it discovered in certain Samsung chips used in dozens of Android models, wearables, and vehicles, fearing the flaws may be discovered and exploited eventually.
In a blog post, Google Project Zero head Tim Willis stated that in-house security researchers discovered and reported 18 zero-day vulnerabilities in Samsung Exynos modems over the last few months, including four high-severity flaws that could compromise affected devices “silently and remotely” over the cellular network.
“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker knows the victim’s phone number,” Willis said.
By gaining the ability to remotely run code at a device’s baseband level — essentially the Exynos modems that convert cell signals to digital data — an attacker would be able to gain near-unrestricted access to the data flowing in and out of any affected device, this will include cellular calls, text messages, and cell data, without the knowledge of the victim.
As far as disclosures go, it’s unusual to see Google — or any security research firm — raise the alarm on high-severity vulnerabilities before they’re patched. Google acknowledged the public risk, stating that skilled attackers “would be able to quickly create an operational exploit” with minimal research and effort.
According to Project Zero researcher Maddie Stone, Samsung had 90 days to fix the bugs but is yet to do so.
In a March 2023 security listing, Samsung confirmed that several Exynos modems are vulnerable, affecting several Android device manufacturers, but provided few other details.
Affected devices include nearly a dozen Samsung models, Vivo handsets, and Google’s own Pixel 6 and Pixel 7 handsets, according to Project Zero. Wearables and vehicles that use Exynos chips to connect to the cellular network are also affected.
Google stated that patches will vary by manufacturer, but that its Pixel devices have already been patched with its March security updates.
According to Google, Users who want to protect themselves can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, which will “remove the exploitation risk of these vulnerabilities” until affected manufacturers push software updates to their customers.
The remaining 14 vulnerabilities, according to Google, were less severe because they required either device access or insider or privileged access to a cell carrier’s systems.