Google’s security research division is raising the alarm about a number of holes it found in Samsung semiconductors used in many Android devices, wearable tech, and cars. They are worried that the holes will soon be found and used against Google.
Tim Willis, the head of Google’s Project Zero, claimed that internal security researchers had discovered and reported 18 zero-day flaws in Exynos modems made by Samsung over the previous few months, including four of the highest severity that could compromise impacted devices “silently and remotely” over the cellular network.
Project Zero tests have shown that these four flaws allow an attacker to remotely compromise a phone at the baseband level without the victim having to do anything, Willis said. The attacker just needs to know the victim’s phone number.
An attacker would be able to gain near-unrestricted access to the data flowing into and out of an affected device, including cellular calls, text messages, and cell data, without disclosing their presence to the victim if they were given the ability to remotely run code at a device’s baseband level, or more specifically at the Exynos modems that convert cell signals to digital data.
As far as disclosures go, it’s uncommon to see Google, or any security research organization, raise the red flag on serious flaws before they are fixed. A skilled attacker “would be able to swiftly construct an operational exploit,” according to Google, with little investigation and work. This was flagged as a risk to the general public.
Maddie Stone, a Project Zero researcher, stated on Twitter that Samsung had 90 days to fix the issues but hadn’t done so.
Samsung said in a March 2023 security list that many Exynos modems are vulnerable, which could affect many Android device makers, but it didn’t say much else.
Project Zero claims that a number of Samsung models, Vivo phones, and Google’s own Pixel 6 and Pixel 7 phones are among the impacted gadgets. Wearables and automobiles that use Exynos chips to connect to the cellular network are also among the affected gadgets.
The following devices are among those on the list of those that are affected:
Google Pixel 6 and Pixel 7 series; connected vehicles that use the Exynos Auto T5123 chipset; Samsung mobile devices, including the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series; Vivo mobile devices, including those in the S16, S15, S6, X70, X60, and X30 series;
Google said that patches will be different for each manufacturer, even though its Pixel devices have already gotten the March security updates.
Google told users to turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings to “reduce the chance that these vulnerabilities will be exploited” until the affected manufacturers release software fixes to their customers.
Google said that the other 14 vulnerabilities were less dangerous because they required access to a device or insider or privileged access to a mobile carrier’s networks.