Google’s Project Zero team has discovered 18 zero-day vulnerabilities in certain Samsung Exynos chipsets – leading attackers to compromise devices remotely.
While some require local access, others need just a phone number to attack so! Mobile devices, automobiles, and wearables using the Exynos chips are at risk. Though Samsung released the patches for these bugs – the end OEMs are yet to pass them to their users.
Security Bugs in Samsung Chips
Google’s Project Zero has identified 18 zero-day bugs in the Samsung Exynos chips – all reported between late 2022 and early 2023. Four of the 18 zero-day bugs were termed serious, enabling RCE attacks from the device’s Internet to the baseband.
Researchers note that the Exynos “baseband software does not properly check the format types of the accept-type attribute specified by the SDP,” leading to DoS or RCE attacks. What’s more intriguing here is the initial vector needed for an attacker is just the target’s phone number to pull the attack.
End-users still don't have patches 90 days after report…. https://t.co/dkA9kuzTso
— Maddie Stone (@maddiestone) March 16, 2023
The 14 other bugs are not that serious but pose enough risk to the users to be compromised. Successful exploitation of these requires some form of local access or a malicious mobile network operator, notes the researchers. Affected devices in this pursuit are the ones using certain Samsung chips, as below;
- Mobile devices like the Galaxy S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
- Mobile devices from the brand Vivo, viz S16, S15, S6, X70, X60 and X30 series;
- Google’s Pixel 6 and Pixel 7 series;
- Any wearables using the Exynos W920 chipset;
- Any vehicles using the Exynos Auto T5123 chipset.
Though Samsung has already released patches for these bugs, the partnered OEMs need to pass them on to the end users. And since their update timeline differs based on numerous factors, you should assume being unsafe until they arrive.
Google has already addressed the CVE-2023-24033 for impacted Pixel devices in its March 2023 security update, while other OEMs are still cooking up the patches in their next updates. Until then, users are advised to disable their devices’ Wi-Fi calling, and Voice-over-LTE (VoLTE) features to remove the attack vector.
