The cybersecurity researchers at Google identified eighteen zero-day vulnerabilities, four of which allowed Hackers to remotely compromise smartphone devices using just the victim’s phone number.
Google Pixel and Samsung phone owners should be cautious, as Google’s bug-hunting team, Project Zero, has discovered as many as 18 security vulnerabilities impacting Exynos modems.
Reportedly, these vulnerabilities, if combined, can allow an adversary to gain complete control over a smartphone without alerting the user. The devices vulnerable to these vulnerabilities include the following:
- Google Pixel 6 and Pixel 7 series
- Vivo S16, S15, S6, X70, X60, and X30 series
- Samsung S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series.
In addition, wearable devices using the Exynos W20 chipset, such as Galaxy Watch 4 and 5, and vehicles using the Exynos Auto T5123 chipset are also vulnerable.
According to Project Zero head Tim Willis, these zero-day vulnerabilities were found in late 2022 and early 2023. Out of the 18 security flaws, four allow attackers to compromise the phone remotely using just the victim’s phone number.
In addition, skilled threat actors can create an operational exploit quickly to “silently and remotely” compromise impacted devices. These four flaws are the most crucial of all.
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker knows the victim’s phone number.
Google Project Zero
One of the exploits has been assigned a CVE (Common Vulnerabilities and Exposures) number, CVE-2023-24033, and Google has withheld it, which is a rare instance considering its previous bug disclosures. In this flaw, the impacted baseband model chipsets don’t check the format types that the SDP module specifies, leading to a denial of service attack.
Hence, an attacker can remotely lock the phone and bar the user from using it. It was fixed in Google’s March 2023 security update and has already been implemented in Pixel 7 series phones. However, Pixel 6 series, including Pixel 6 Pro, and Pixel 6a, do not yet have it.
The other 14 vulnerabilities aren’t as critical. Some have been assigned CVEs, including CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, and CVE-2023-26076, while 9 are still awaiting CVEs.
It is worth noting that attackers would need a malicious mobile network operator or local access to the device to exploit them. Although it may sound impossible, a report from June 2022 shows that ISPs have been assisting malicious threat actors in installing malware on victim devices.
The good news, according to Google’s blog post, for Samsung Galaxy S22 owners in the US is that their phones don’t have a Samsung Exynos chipset but a Qualcomm chipset, so their devices aren’t vulnerable. However, European owners of the same phone are not as lucky. Therefore, those using unpatched devices must disable Wi-Fi Calling and VoLTE (voice over LTE).