Google Project Zero Issues Startling Security Warning To Pixel And Samsung Galaxy Owners
Google's Project Zero found eighteen zero-day vulnerabilities in Exynos modems, of which seven were designated as "most severe" that can allow an attacker—with an exploited phone number—to intercept data passing through the modem to obtain data from text messages and phone calls. Project Zero's blog states that these exploits affect phones manufactured between late 2022 and early 2023.
The team explain that their testing found that, "those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely."
In case you're wondering, the zero-day vulnerability designation means a security loophole that needs to be fixed immediately and may already be actively exploited. So, until individual manufacturers are able to push official patches, it is advised that owners turn off Wi-Fi calling and VoLTE (Voice Over LTE) immediately to avoid being a target.
Based on the CVE (Common Vulnerabilities and Exposures) ID listed in the blog, we can determine that the affected Samsung Exynos chipsets are Exynos 980, Exynos 1080, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123. The blog also lists likely affected products:
- Samsung Galaxy smartphones, including the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
- Vivo smartphones, including the S16, S15, S6, X70, X60 and X30 series;
- Google smartphones, including the Pixel 6 and Pixel 7 series; and
- Vehicles that use the Exynos Auto T5123, which is a 5G-enabled SoC.
